-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2019-003 CVE: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 Publication Date: 2019-Jun-25 Status: Confirmed Revision: 1 Title ===== Aruba Impact for CPU Side-Channel Attacks Overview ======== This is an update to ARUBA-PSA-2018-001 (https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt) Since the publication of that advisory, a number of additional CPU side-channel attacks have been demonstrated and theorized, with names such as MDS (Microarchitectural Data Sampling), ZombieLoad, Fallout, RIDL and Store-to-Leak Forwarding. All of these techniques share similar traits. Aruba is not affected by these vulnerabilities. The text of this advisory will continue to apply to future related vulnerabilities unless Aruba issues an advisory to the contrary. Affected Products ================= -- None (see below for details and caveats) Details ======= Aruba products are based on a number of different CPU architectures, some of which are affected by CPU side-channel vulnerabilities. However, no Aruba product allows execution of arbitrary code by an unauthorized user, which is an ability required to carry out any type of side-channel attack. Achieving code execution would require the presence of a second, unrelated vulnerability, and it is likely that such a vulnerability would already allow compromise of the system without the need for further exploits. Caveats to the statement above: Virtual Appliances: ClearPass Policy Manager, AirWave, Mobility Master, Virtual Mobility Controller, and IntroSpect Packet Processor are all available as virtual appliances, running as guests under a hypervisor. If the hypervisor is vulnerable and untrusted users have access to other guest systems running under the same hypervisor, an attacker may be able to read memory from the Aruba virtual appliance. Contact your virtualization vendor to determine whether updates are available. Aruba 8320/8400: This product provides the ability for authorized administrators to run scripts, which could be used to exploit the vulnerability. However, an administrator with access to run scripts already has full administrative rights and can control any aspect of the system. Thus, the vulnerability does not contribute to any form of information disclosure or privilege escalation. Cloud Products: Aruba's cloud providers supporting products such as Central, Activate, and Meridian have notified Aruba that they are in the process of applying, or have already applied, mitigation patches to their virtualization environments. Resolution ========== No immediate action is required. As part of a defense-in-depth strategy, Aruba regularly investigates kernel patches, CPU microcode updates, and other mitigations and may deploy these in future software updates. However, some mitigation techniques are known to reduce system performance significantly. Therefore, given the limited security risk, Aruba will take the time to carefully test the impact of any mitigation techniques on scalability before releasing updates. Workarounds =========== No workarounds required. Exploitation and Public Discussion ================================== Aruba is aware of significant public discussion of this issue. Proof of concept code has been published. None of the published code is applicable to Aruba products. Revision History ================ Revision 1 / 2019-Jun-24 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2019 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAl0R8EgACgkQmP4JykWF htmBxQf/bVRsFFpbfNZ9hbqt6W1BBbz1aZm/kKKqIAZJ/RzWF2XUeNaPR8V6nl6g iTzTcqvnNadqPZi4rOfjbKvWGR2VNtWZSuQjG0C9nUf9v5vM66KYFuypl6EfD3om BUwpXqG0GXkvvH56dNQdqsCDbgf6rJrh2X7SBaV41lDsAy4AYCZsZDgnCpD2r08L HkubODngq4zyVD6zR1sDU80/DPbgg6ao0vS/4kRaxnhrGUpfEYn0kbnySfTtAVPS aczj1oVNUMUJzbfoIOre/FvRMgVPZCSyfaglRP7yIrwNePfCIHBBuNPn0qch/jY4 bKEorOkXybS53OyyvJwtRo3xIcFJaw== =Zzsc -----END PGP SIGNATURE-----