-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2017-006 CVE: CVE-2017-9000, CVE-2017-9003 Publication Date: 2017-Oct-11 Status: Confirmed Revision: 4 Title ===== ArubaOS Multiple Vulnerabilities Overview ======== Multiple flaws are present in ArubaOS that may permit an unauthenticated user to access files, corrupt memory, and potentially execute remote code. Software updates are available to address these vulnerabilities. Affected Products ================= -- ArubaOS (all versions prior to 6.3.1.25) -- ArubaOS 6.4 prior to 6.4.4.16 -- ArubaOS 6.5.x prior to 6.5.1.9 -- ArubaOS 6.5.2 -- ArubaOS 6.5.3 prior to 6.5.3.3 -- ArubaOS 6.5.4 prior to 6.5.4.2 -- ArubaOS 8.x prior to 8.1.0.4 FIPS and non-FIPS versions of software are both affected equally. Details ======= Unauthenticated Arbitrary File Access (CVE-2017-9000) ----------------------------------------------------- An unauthenticated user with network access to an Aruba mobility controller on TCP port 8080 or 8081 may be able to access arbitrary files stored on the mobility controller. Ports 8080 and 8081 are used for captive portal functionality and are listening, by default, on all IP interfaces of the mobility controller, including captive portal interfaces. The attacker could access files which could contain passwords, keys, and other sensitive information that could lead to full system compromise. Severity: High CVSSv3 Overall Score: 7.0 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L Discovery: Aruba thanks independent security researcher @mongobug for discovering this vulnerability and reporting it through the BugCrowd managed bug bounty program. Unauthenticated Memory Corruption and Remote Code Execution (CVE-2017-9003) --------------------------------------------------------------------------- Multiple memory corruption flaws are present in ArubaOS which could allow an unauthenticated user to crash ArubaOS processes. With sufficient time and effort, it is possible these vulnerabilities could lead to the ability to execute arbitrary code - remote code execution has not yet been confirmed. Severity: High CVSSv3 Overall Score: 7.0 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Discovery: Aruba thanks independent security researcher @mongobug for discovering this vulnerability and reporting it through the BugCrowd managed bug bounty program. Authenticated SQL Injection --------------------------- A SQL injection flaw exists in ArubaOS which could allow an authenticated administrative user with access to the management interface the ability to read and write arbitrary data to internal databases. This could allow a malicious insider to read unauthorized data, or to alter data without detection. The data exposed does not include credential information. Severity: Low CVSSv3 Overall Score: 3.3 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N Discovery: Aruba thanks independent security researcher @mongobug for discovering this vulnerability and reporting it through the BugCrowd managed bug bounty program. Resolution ========== These vulnerabilities have been fixed in the following ArubaOS patch releases, which are available for download immediately: -- 6.3.1.25 -- 6.4.4.16 -- 6.5.1.9 -- 6.5.3.3 -- 6.5.4.2 -- 8.1.0.4 Workarounds =========== Restricting access to TCP ports 8080 and 8081 will temporarily mitigate CVE-2017-9000. The ArubaOS Hardening Guide (available from http://support.arubanetworks.com under Documentation) explains how to configure firewall rules to restrict access to ports. Note that if captive portal is in use, ports 8080 and 8081 are required; captive portal will not function if these ports are blocked. CVE-2017-9003 is accessible through ports 443 and 4343. Restricting access to these ports will effectively mitigate the vulnerability. Exploitation and Public Discussion ================================== Aruba is not aware of public discussion or active exploitation of these vulnerabilities. Revision History ================ Revision 1 / 2017-Oct-11 / Initial release Revision 2 / 2017-Oct-12 / Updated affected versions to add 6.5.2 Revision 3 / 2017-Oct-12 / "prior to 8.1.0.3" -> "prior to 8.1.0.4" Revision 4 / 2017-Nov-28 / "6.5.1 prior to 6.5.1.9" -> "6.5.x prior to 6.5.1.9" Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public key can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2017 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJaHXYbAAoJEJj+CcpFhYbZIykIALLceIgaSMcLONafPcXlSTuY a/rIc9PXkFv6Y3EXpEbvOv758lF7TgXpCZ5M3VHXXwYUFTyErYhtALsqMIWSPiJc H7SOlneJc3Q3gni5prRzI9xq6oBzEV9yQq37RA5G4kV0PSOM7S5QiCI45jpc7t1r aHNufZTWmIhP0gscc/jBHd9AspW2gd1sw2AeBSpXine3LXXSHtI5FYZPudN6oe9T ZHi+DaZCP4qUyKBbgDQ/0fyijdzrnVWnbRWBcvQjwt1wYnK2Pav6ToQGBLzeolCI taxruA+gZzNPABOb5iaqVuvHVhWXan7O61Hb3icJ95qCJCbqu9GNUSTkZcAPRnc= =IixJ -----END PGP SIGNATURE-----