-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2019-001 CVE: CVE-2018-7064, CVE-2018-7082, CVE-2018-7083, CVE-2018-7084, CVE-2018-16417 Publication Date: 2019-Feb-27 Status: Confirmed Revision: 1 Title ===== Aruba Instant Multiple Vulnerabilities Overview ======== Aruba has released updates to Aruba Instant (IAP) that address multiple serious vulnerabilities. The most significant vulnerability is rated CRITICAL with a CVSS score of 9.8. Affected Products ================= - Aruba Instant 4.x prior to 6.4.4.8-4.2.4.12 - Aruba Instant 6.5.x prior to 6.5.4.11 - Aruba Instant 8.3.x prior to 8.3.0.6 - Aruba Instant 8.4.x prior to 8.4.0.1 Details ======= Unauthenticated command execution (CVE-2018-7084) ------------------------------------------------- A command injection vulnerability is present that permits an unauthenticated user with access to the Aruba Instant web interface to execute arbitrary system commands within the underlying operating system. An attacker could use this ability to copy files, read configuration, write files, delete files, or reboot the device. Internal reference: 182945 Severity: CRITICAL CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Workaround: Block access to the Aruba Instant web interface from all untrusted users. Discovery: This vulnerability was discovered and reported by Nick Starke of Aruba Threat Labs. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.1 Unauthenticated information disclosure (CVE-2018-16417) ------------------------------------------------------- A vulnerability is present which allows an unauthenticated user to retrieve recently cached configuration commands. By sending a crafted URL to the Aruba Instant web interface, an attacker can view configuration commands that have been recently issued by an administrator. This information could include sensitive parameters such as keys or passwords. Internal reference: 187251 Severity: HIGH CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Workaround: Block access to the Aruba Instant web interface from all untrusted users. Discovery: This vulnerability was discovered and reported by Mina Mohsen Edwar from Verizon. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0 Core dumps are publicly accessible (CVE-2018-7083) -------------------------------------------------- If a process running within Aruba Instant crashes, it may leave behind a "core dump", which contains the memory contents of the process at the time it crashed. It was discovered that core dumps are stored in a way that unauthenticated users can access them through the Aruba Instant web interface. Core dumps could contain sensitive information such as keys and passwords. Internal reference: 182949 Severity: HIGH CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Workaround: Block access to the Aruba Instant web interface from all untrusted users. Discovery: This vulnerability was discovered and reported by Nick Starke of Aruba Threat Labs. It was also independently discovered and reported by Mina Mohsen Edwar from Verizon. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0 Authenticated command injection (CVE-2018-7082) ----------------------------------------------- A command injection vulnerability is present in Aruba Instant that permits an authenticated administrative user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability to install backdoors or change system configuration in a way that would not be logged. Internal reference: 182947 Severity: HIGH CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Workaround: None Discovery: This vulnerability was discovered and reported by Nick Starke of Aruba Threat Labs. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0 Reflected Cross-Site Scripting (CVE-2018-7064) ---------------------------------------------- A reflected cross-site scripting (XSS) vulnerability is present in an unauthenticated Aruba Instant web interface. An attacker could use this vulnerability to trick an IAP administrator into clicking a link which could then take administrative actions on the Instant cluster, or expose the session cookie for an administrative session. Internal reference: 176775 Severity: MEDIUM CVSSv3 Overall Score: 6.4 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L Workaround: Administrators should make sure they log out of the Aruba Instant UI when not actively managing the system, and should use caution clicking links from external sources while logged into the IAP administrative interface. Discovery: This vulnerability was discovered and reported by Alessio Santoru of Horizon Security and reported through the Bugcrowd managed bug bounty program. It was also independently discovered and reported by Phil Purviance (@superevr). Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.0 Resolution ========== All reported vulnerabilities are fixed in the following Aruba Instant software releases: - Aruba Instant 6.4.4.8-4.2.4.12 - Aruba Instant 6.5.4.11 - Aruba Instant 8.3.0.6 - Aruba Instant 8.4.0.1 Revision History ================ Revision 1 / 2019-Feb-27 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2019 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAlxu9h0ACgkQmP4JykWF htk1EggAjXFwvU7IDd0NDv3nLoOQEJypFUwd4G5IZoc26JJ7ngFnuP6UayWg8z5/ 64nIKmDDKvdjpO5OMgPdmm70RNYwq9PdMsR+r6vYyia1VSZEdFutEWtP5OWtAz3D 0jJSrVrhuzlg7Rb9uNEa4igzEoIOh1aWChx/ZrclO9DtaLIfROrkoRdqQhEoOB4/ 1kB+Q8N+CzyDfDY6Scj/KBdGXoNwU51KgadmyvlBLSXCXoGbvt5vZGYkovxmHGSc SkNG2JhwA4t4IGWdm/yEFIYtWFUkk48CXMT9LCovq20xjYgVwgY6vDDCfV73eqmU izAptFzANT4OSD3DpF9u0mgJTFyxoA== =M9QP -----END PGP SIGNATURE-----