-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2017-005
CVE: CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494,
     CVE-2017-14495, CVE-2017-14496
Publication Date: 2017-Oct-11
Status: Confirmed
Revision: 2


Title
=====
Multiple Vulnerabilities in 'dnsmasq'


Overview
========
Multiple serious vulnerabilities were reported in the open-source component
"dnsmasq".  These vulnerabilities primarily represent a denial-of-service
risk, but they could also potentially be leveraged to lead to remote code
execution.


Affected Products
=================
  -- ArubaOS
  -- Aruba Instant


Unaffected Products
===================
  -- ClearPass Policy Manager
  -- AirWave
  -- ALE
  -- All Aruba cloud services including Aruba Central and Meridian
  -- IntroSpect


Details
=======
Full details of the dnsmasq vulnerabilities may be found at the following URLs:
- - - - https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg11665.html
- - - - https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

dnsmasq is used by ArubaOS to provide DNS proxy/DNS resolution for captive
portal users.  While in a pre-authenticated state, the process accepts
DNS queries from captive portal users and returns the IP address of the
mobility controller.  ArubaOS does not utilize dnsmasq for DHCP services.

dnsmasq is used by Aruba Instant to provide DHCP services as well as DNS
proxy. DNS proxy is used in branch office configurations where Instant APs
are providing both corporate VPN access as well as Internet access, and the
DNS proxy must decide whether to route DNS queries to the corporate VPN
tunnel or to the Internet. DHCP vulnerabilities in dnsmasq are related to
DHCPv6; Aruba Instant does not support DHCPv6, so Aruba Instant is not
vulnerable to CVE-2017-14493 and CVE-2017-14494.  Aruba Instant does not
support IPv6 automatic address configuration and is not vulnerable to
CVE-2017-14492.

Aruba views the primary immediate risk for both ArubaOS and InstantOS to be
denial of service - a successful attack could cause the dnsmasq process to
crash. Given sufficient time, however, it may be possible for an attacker
to develop a working remote code execution attack which would allow
arbitrary code to execute on an Aruba controller or Instant AP.  Such an
attack would need to be customized for each CPU architecture individually.

  Severity: HIGH
  CVSSv3 Overall Score: 7.3
  CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H


Resolution
==========
These vulnerabilities have been fixed in the following ArubaOS patch releases,
which are available for download immediately:
 -- 6.3.1.25
 -- 6.4.4.16
 -- 6.5.1.9
 -- 6.5.3.3
 -- 6.5.4.2
 -- 8.1.0.4

 These vulnerabilities have been fixed in the following InstantOS patch
 releases, which are available for download immediately:
  -- 4.2.4.9
  -- 4.3.1.6
  -- 6.5.3.3
  -- 6.5.4.2


Workarounds
===========
ArubaOS: Systems which do not have captive portal enabled may safely use
firewall rules to block access to UDP port 53. Aruba recommends "service ACLs"
to implement blocking rules.  Service ACLs are documented in the ArubaOS User
Guide and also in the ArubaOS Security Hardening Guide, both of which are
available for download from the Aruba support portal.

Aruba Instant: If DNS proxy features are not being used, firewall rules may
be deployed to block access to UDP port 53.


Exploitation and Public Discussion
==================================
These vulnerabilities are being widely discussed in public.  Aruba is not
aware of any exploitation tools that specifically target Aruba products.


Revision History
================

      Revision 1 / 2017-Oct-11 / Initial release
      Revision 2 / 2017-Oct-12 / Added additional InstantOS release numbers


Aruba SIRT Security Procedures
==============================

Complete information on reporting security vulnerabilities in Aruba Networks
products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/


For reporting *NEW* Aruba Networks security issues, email can be sent to
aruba-sirt(at)hpe.com. For sensitive information we encourage the use of
PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2017 by Aruba, a Hewlett Packard Enterprise company.
This advisory may be redistributed freely after the release date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZ3tJsAAoJEJj+CcpFhYbZ/3gH/2kIcxvXvZvRv072CMfxipFp
giMioAVJhQz+1amYKmCDToFDKW5bfsgFAlGUg1v9qjMqzieJS03o3U4+WUo0PTjS
tgGiIXYnHbYgNEWcUf1PjyWsC7+4B7PT4zgYRzz+n5O3+rLCOdSZLy/t6/BiIszv
5UltGxwDoXAPmTrTovgIEfD/XL59o0HNClUWlywfZXqYjMuIHYnJRaGuamBTX+co
YkEUC0zqBKoQ+gZeyNgLYCX3ycohSlXaEq5NiDHYNWniPEotKSe73bArJIvmlLHb
biS9P7Z2ZygVht/3hr3ao+kw8fey3EnTAm/OPW7sNIagYnZ0jaYykeFkHMHQlIQ=
=+Dlx
-----END PGP SIGNATURE-----