Aruba products contain compromised HTTPS certificate

Customers with equipment from networking kit vendor Aruba are advised to urgently generate or buy digital certificates for their gear after researchers found the factory-default credentials in the firmware are compromised.

SEC Consult researcher Stefan Viehböck said Aruba had put a web browser-trusted secure sockets layer (SSL) certificate, including its private digital key, into the firmware of several products to authenticate the securelogin.arubanetworks.com management portal.

He warned that the certificate and key can be extracted from the firmware on many Aruba products, allowing an attacker to impersonate a captive portal, web administration or wi-fi access point and intercept and access sensitive data.

Aruba has been aware of the flaw for the past few years.

"...  If you are relying on the factory-default certificate to protect HTTPS communication with an Aruba product, this certificate is providing you with very little security because with the private key, an attacker can conduct a man-in-the-middle attack without you knowing it," Aruba security staffer Jon Green wrote mid last-year.

He said Aruba had put the digital certificate and private key in the firmware for convenience, assuming customers who care about security would update the credentials.

But he admitted that approach may not have worked.

"I now think we're doing a disservice to customers by giving them too much rope with which to hang themselves," Green said.

Aruba intends to remove the securelogin.arubanetworks.com portal and replace it with a self-generated self-signed certificate, he said.

Alcatel-Lucent Omniaccess products also contain the vulnerability given Aruba is the original equipment manufacturer, SEC Consult said.

Cert reuse situation getting worse, not better

SEC Consult last year started working on the widespread issue of internet-connected devices such as routers and gateways being shipped with reused digital credentials in their firmware.

At the time the security vendor found around 3.2 million internet-connected devices shared 580 private keys in around 150 server certificates. This included over 26,000 internet-facing Cisco devices on Telstra's network, on which the secure shell remote login interface had been left exposed.

Despite efforts to create awareness around the issue since last November last, the number of vulnerable devices connected to the internet has increased sharply, SEC Consult has found.

Viehböck said in less than a year, the number of devices using known private keys for HTTPS/SSL server certificates had jumped by 40 percent, meaning there are now 4.5 million vulnerable devices on the internet.

SEC Consult attributed the sharp rise to a lack of patches for security vulnerabilities in legacy and end of life equipment, as well as customers not updating their devices when fixes are available.

It also blamed insufficient firewalling of devices' internet-facing ports by users and providers.

The security vendor has released 331 certificates with matching private keys, as well as a further 553 individual private keys on the open source repository Github.

Names of the products containing the keys were also released in the hope that security researchers can use the data to discover more crypto credentials reuse and address the vulnerabilities.

"Releasing the private keys is not something we take lightly as it allows global adversaries to exploit this vulnerability class on a large scale. However we think that any determined attacker can repeat our research and get the private keys from publicly available firmware with ease," the company said.