-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2017-005 CVE: CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496 Publication Date: 2017-Oct-11 Status: Confirmed Revision: 2 Title ===== Multiple Vulnerabilities in 'dnsmasq' Overview ======== Multiple serious vulnerabilities were reported in the open-source component "dnsmasq". These vulnerabilities primarily represent a denial-of-service risk, but they could also potentially be leveraged to lead to remote code execution. Affected Products ================= -- ArubaOS -- Aruba Instant Unaffected Products =================== -- ClearPass Policy Manager -- AirWave -- ALE -- All Aruba cloud services including Aruba Central and Meridian -- IntroSpect Details ======= Full details of the dnsmasq vulnerabilities may be found at the following URLs: - - - - https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg11665.html - - - - https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html dnsmasq is used by ArubaOS to provide DNS proxy/DNS resolution for captive portal users. While in a pre-authenticated state, the process accepts DNS queries from captive portal users and returns the IP address of the mobility controller. ArubaOS does not utilize dnsmasq for DHCP services. dnsmasq is used by Aruba Instant to provide DHCP services as well as DNS proxy. DNS proxy is used in branch office configurations where Instant APs are providing both corporate VPN access as well as Internet access, and the DNS proxy must decide whether to route DNS queries to the corporate VPN tunnel or to the Internet. DHCP vulnerabilities in dnsmasq are related to DHCPv6; Aruba Instant does not support DHCPv6, so Aruba Instant is not vulnerable to CVE-2017-14493 and CVE-2017-14494. Aruba Instant does not support IPv6 automatic address configuration and is not vulnerable to CVE-2017-14492. Aruba views the primary immediate risk for both ArubaOS and InstantOS to be denial of service - a successful attack could cause the dnsmasq process to crash. Given sufficient time, however, it may be possible for an attacker to develop a working remote code execution attack which would allow arbitrary code to execute on an Aruba controller or Instant AP. Such an attack would need to be customized for each CPU architecture individually. Severity: HIGH CVSSv3 Overall Score: 7.3 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Resolution ========== These vulnerabilities have been fixed in the following ArubaOS patch releases, which are available for download immediately: -- 6.3.1.25 -- 6.4.4.16 -- 6.5.1.9 -- 6.5.3.3 -- 6.5.4.2 -- 8.1.0.4 These vulnerabilities have been fixed in the following InstantOS patch releases, which are available for download immediately: -- 4.2.4.9 -- 4.3.1.6 -- 6.5.3.3 -- 6.5.4.2 Workarounds =========== ArubaOS: Systems which do not have captive portal enabled may safely use firewall rules to block access to UDP port 53. Aruba recommends "service ACLs" to implement blocking rules. Service ACLs are documented in the ArubaOS User Guide and also in the ArubaOS Security Hardening Guide, both of which are available for download from the Aruba support portal. Aruba Instant: If DNS proxy features are not being used, firewall rules may be deployed to block access to UDP port 53. Exploitation and Public Discussion ================================== These vulnerabilities are being widely discussed in public. Aruba is not aware of any exploitation tools that specifically target Aruba products. Revision History ================ Revision 1 / 2017-Oct-11 / Initial release Revision 2 / 2017-Oct-12 / Added additional InstantOS release numbers Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2017 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJZ3tJsAAoJEJj+CcpFhYbZ/3gH/2kIcxvXvZvRv072CMfxipFp giMioAVJhQz+1amYKmCDToFDKW5bfsgFAlGUg1v9qjMqzieJS03o3U4+WUo0PTjS tgGiIXYnHbYgNEWcUf1PjyWsC7+4B7PT4zgYRzz+n5O3+rLCOdSZLy/t6/BiIszv 5UltGxwDoXAPmTrTovgIEfD/XL59o0HNClUWlywfZXqYjMuIHYnJRaGuamBTX+co YkEUC0zqBKoQ+gZeyNgLYCX3ycohSlXaEq5NiDHYNWniPEotKSe73bArJIvmlLHb biS9P7Z2ZygVht/3hr3ao+kw8fey3EnTAm/OPW7sNIagYnZ0jaYykeFkHMHQlIQ= =+Dlx -----END PGP SIGNATURE-----