-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2018-006 CVE: CVE-2018-7080 Publication Date: 2018-Oct-31 Status: Confirmed Revision: 2 Title ===== Aruba BLE Radio Firmware Vulnerability Overview ======== A vulnerability exists in the firmware of embedded BLE radios that are part of some Aruba access points. An attacker who is able to exploit the vulnerability could install new, potentially malicious firmware into the AP's BLE radio and could then gain access to the AP's console port. Aruba products are NOT affected by a similar vulnerability being tracked as CVE-2018-16986. Affected Products ================= - AP-3xx and IAP-3xx series access points - AP-203R - AP-203RP - ArubaOS 6.4.4.x prior to 6.4.4.20 - ArubaOS 6.5.3.x prior to 6.5.3.9 - ArubaOS 6.5.4.x prior to 6.5.4.9 - ArubaOS 8.x prior to 8.2.2.2 - ArubaOS 8.3.x prior to 8.3.0.4 The AP207 is not affected, as it contains a different BLE implementation. Other Aruba AP models not listed here do not contain a BLE radio and are not affected. Details ======= This vulnerability is applicable only if the BLE radio has been enabled in affected access points. The BLE radio is disabled by default. The BLE radio used in the affected APs contains functionality that allows for over-the-air firmware updates. Access to this functionality is protected by a password. Unfortunately, it was discovered that an attacker with access to a software image (e.g. downloaded from the Aruba website), or with access to the AP hardware, could recover the password. With access to the password, an attacker can push malicious firmware updates to the BLE radio wirelessly. There are two consequences of malicious firmware running in the BLE radio: - Features which use the BLE radio for wayfinding or management of BLE beacons could be disrupted. Wayfinding applications could show erroneous position information and administrators could lose the ability to manage BLE beacons. - The BLE radio provides an optional feature called BluConsole. This feature permits access to the AP serial console over BLE. While this feature is enabled/disabled from within ArubaOS by the AP CPU, the AP CPU merely sends an enable/disable message to the BLE radio. Actual enforcement of the feature is performed by the BLE radio itself. Therefore, malicious BLE firmware would have direct access to the AP's serial console. This could allow an attacker to disrupt settings in the AP's boot ROM, resulting in potential denial of service. Note: Console access to a running ArubaOS AP software image is password-protected, unless password protection has been explicitly disabled by the administrator. Serial console access would thus provide access only to the boot ROM configuration, not to an AP that has already booted and is running ArubaOS. Gaining access to the boot ROM configuration would require rebooting the access point, typically necessitating physical access to the AP or passively waiting for an AP reboot to occur. Severity: HIGH CVSSv3 Overall Score: 7.1 CVSS Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H Resolution ========== Upgrade to one of the following software releases. Note that at the time of initial publication, only ArubaOS 6.5.4.9 has been released. Aruba typically prefers to issue security advisories only after updates are made available for all supported branches. Unfortunately, Aruba became aware that news of this vulnerability had been prematurely leaked by one of the other parties involved, which has necessitated early disclosure. This vulnerability is resolved in the following software releases: - - - - - ArubaOS 6.4.4.20 - - - - - ArubaOS 6.5.3.9 - - - - - ArubaOS 6.5.4.9 - - - - - ArubaOS 8.2.2.2 - - - - - ArubaOS 8.3.0.4 After installing updated software, over-the-air firmware updates for the BLE radio will only be possible after the following ArubaOS CLI command has been issued: ap ble-init-action ap-name ota-fw-upgrade enable If this CLI command has not been issued, over-the-air firmware updates are disabled. Workarounds =========== Disabling the BLE radio will mitigate the vulnerability. In ArubaOS, this is done through the AP system-profile: # conf t (config) # ap system-profile (AP system profile "default") # ble-op-mode disabled In Aruba Instant, use the following command: # ble mode disabled Exploitation and Public Discussion ================================== Aruba is aware of limited distribution of this information at the time of publication. Information was originally scheduled to become public on November 1, 2018, so it is expected that the issue will become much more widely known on or potentially before that date. Discovery ========= This vulnerability was discovered and reported by Armis. Revision History ================ Revision 1 / 2018-Oct-18 / Initial release Revision 2 / 2018-Oct-31 / Updated to include AP-203R/203RP Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2018 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAlvZ1ygACgkQmP4JykWF htlYkQf/T7Uz3Ep99VknAhelbo+ZvKyo8WXSoUQ3/4yT4h6vTLdzVzctb7yZZ3jh ubifIJN0VZQ6gyJcVCVUN5+NO7qGL5fGfWb9NjGIbyByXJQ0TxnfXLjJSEMjQND9 +AG/GWVhFOxDBnzD8s8uaVEQ+K1n+HbcaMDybaYbt8zTNKckjr9+Dl/JmZAbEd1R aDfZiQTqNIe8arER1qG/w1RkJKOmYUhgNYTVCuGc2Lkxe7mzhQQxSTqpZTDnISNc YQcKVMD3Hmuq9fB9PeTb8idycLHOEAoGU8i7DWsOnXLwOMRUCCY/IiiQ7mWCGET7 5/nmOEOrCM/oINGJ5zSYeA2eijjX1w== =+0Zh -----END PGP SIGNATURE-----