-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2020-006 CVE: CVE-2020-11896, CVE-2020-11897, CVE-2020-11898, CVE-2020-11899, CVE-2020-11900, CVE-2020-11901, CVE-2020-11902, CVE-2020-11903, CVE-2020-11904, CVE-2020-11905, CVE-2020-11906, CVE-2020-11907, CVE-2020-11908, CVE-2020-11909, CVE-2020-11910, CVE-2020-11911, CVE-2020-11912, CVE-2020-11913, CVE-2020-11914 Publication Date: 2020-Jun-23 Status: Confirmed Revision: 4 Title ===== "Ripple20" Multiple Vulnerabilities affecting the Treck TCP/ IP stack Overview ======== A collection of vulnerabilities known as "Ripple20" affect the Treck TCP/IP stack implementation. Successful exploitation of these vulnerabilities could result in denial of service, information disclosure or remote code execution. This is a preliminary advisory based on initial investigation; it will be updated as new information becomes known. Aruba has not yet performed a complete analysis of impact; CVSS scores listed below represent the worst case scenario and actual severity may be less than reported here. Affected Products ================= Some of these vulnerabilities affect the following L2/L3 switches produced under the Aruba or HP ProCurve brand names. These switches run the ArubaOS-Switch software or its previous name, HP ProVision Operating System. Any switches running ArubaOS-CX or Comware are not affected. - Aruba 5400R zl2 Switch Series -Prior to KB.16.08.0014, KB.16.09.0012, KB16.10.009 - Aruba 3810M Switch Series -Prior to KB.16.08.0014, KB.16.09.0012, KB16.10.009 - Aruba 2930M Switch Series -Prior to WC.16.08.0014, WC.16.09.0012, WC16.10.009 - Aruba 2930F Switch Series -Prior to WC.16.08.0014, WC.16.09.0012, WC16.10.009 - Aruba 2920 Switch Series -Prior to WB.16.08.0014, WB.16.09.0012, WB.16.10.0009 - Aruba 2540 Switch Series -Prior to YC.16.08.0014, YC.16.09.0012, YC.16.10.0009 - Aruba 2530 Switch Series -Prior to YA.16.08.0014, YA.16.09.0012, YA.16.10.0009 / YB.16.08.0014, YB.16.09.0012, YB.16.10.0009 - Aruba 2530YA prior to YA.16.08.0014, YA.16.09.0012, YA.16.10.0009 - Aruba 2530YB prior to YB.16.08.0014, YB.16.09.0012, YB.16.10.0009 - Aruba 5400 zl Switch Series K.16.02.0030 and earlier - Aruba 3800 Switch Series KA.16.02.0028 and earlier - Aruba 2915 Switch Series A.15.16.0021 and earlier - Aruba 2620 Switch Series RA.16.02.0028 and earlier - Aruba 2615 Switch Series A.15.16.0021 and earlier - HPE 8200 zl Switch Series K.15.18.0021 and earlier - HPE 6600 Switch Series K.15.18.0021 and earlier - HPE 6200 yl Switch Series K.15.18.0021 and earlier - HPE 3500 and 3500 yl Switch Series K.16.02.0030 and earlier Each CVE description within the Details section will specify whether the products are affected or not by the corresponding vulnerability. Other Aruba products not listed above are not affected by any of these vulnerabilities. Details ======= Improper handling of length parameter inconsistency (CVE-2020-11896) -------------------------------------------------------------------------- This vulnerability could cause the device to reboot. Severity: High CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Vulnerable: Yes Improper handling of length parameter inconsistency (CVE-2020-11897) -------------------------------------------------------------------------- Vulnerable: No Improper handling of length parameter in IPv4/ICMPv4 (CVE-2020-11898) -------------------------------------------------------------------------- This vulnerability could cause information from previous network packets to leak into reply packets that are sent to an attacker. Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Vulnerable: Yes Improper input validation in IPv6 component (CVE-2020-11899) -------------------------------------------------------------------------- Vulnerable: No Double Free in IPv4 tunneling component (CVE-2020-11900) -------------------------------------------------------------------------- This vulnerability could cause the device to reboot. Severity: Critical CVSSv3 Overall Score: 10 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Vulnerable: Yes Improper input validation in DNS resolver (CVE-2020-11901) -------------------------------------------------------------------------- Vulnerable: No Improper input validation in IPv6 over IPv4 tunneling (CVE-2020-11902) -------------------------------------------------------------------------- Vulnerable: No Out-of-bounds read in DHCP (CVE-2020-11903) -------------------------------------------------------------------------- Vulnerable: No Integer overflow or wraparound (CVE-2020-11904) -------------------------------------------------------------------------- Vulnerable: No Out-of-bounds read in DHCPv6 (CVE-2020-11905) -------------------------------------------------------------------------- Vulnerable: No Improper input validation (CVE-2020-11906) -------------------------------------------------------------------------- This vulnerability could cause a denial of service against the switch’s management interfaces by making them become unresponsive. Severity: Medium CVSSv3 Overall Score: 6.4 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H Vulnerable: Yes Improper handling of length parameter inconsistency (CVE-2020-11907) -------------------------------------------------------------------------- This vulnerability could cause a denial of service against the switch’s management interfaces by making them become unresponsive. Severity: Medium CVSSv3 Overall Score: 5.9 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H Vulnerable: Yes Improper null termination (CVE-2020-11908) -------------------------------------------------------------------------- Vulnerable: No Improper input validation in IPv4 (CVE-2020-11909) -------------------------------------------------------------------------- Vulnerable: No Improper input validation in ICMPv4 (CVE-2020-11910) -------------------------------------------------------------------------- Vulnerable: No Improper access control in ICMPv4 (CVE-2020-11911) -------------------------------------------------------------------------- Denial of service via invalid inbound ICMP Address Mask Reply message (type 18, code 0), which can cause the network subnet mask to be set to a value chosen by the attacker. Severity: Low CVSSv3 Overall Score: 3.7 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Vulnerable: Yes Improper input validation in TCP (CVE-2020-11912) -------------------------------------------------------------------------- This vulnerability could cause the switch to reboot. Severity: Low CVSSv3 Overall Score: 3.7 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Vulnerable: Yes Improper input validation in IPv6 (CVE-2020-11913) -------------------------------------------------------------------------- Vulnerable: No Improper input validation in ARP (CVE-2020-11914) -------------------------------------------------------------------------- This vulnerability could cause the switch to reboot. Severity: Low CVSSv3 Overall Score: 3.1 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Vulnerable: Yes Resolution ========== HPE Aruba has released software updates and mitigation information to resolve the vulnerabilities in certain HPE and Aruba L2/L3 switch products. Please visit the Aruba Support Portal or the HPE My Networking Portal to download the latest firmware and software updates for the following products: Aruba 5400 zl2 Switch Series - KB.16.08.0014, KB.16.09.0012, KB.16.10.0009 Aruba 3810M Switch Series - KB.16.08.0014, KB.16.09.0012, KB.16.10.0009 Aruba 2930M Switch Series - WC.16.08.0014, WC.16.09.0012, WC.16.10.0009 Aruba 2930F Switch Series - WC.16.08.0014, WC.16.09.0012, WC.16.10.0009 Aruba 2920 Switch Series - WB.16.08.0014, WB.16.09.0012, WB.16.10.0009 Aruba 2540 Switch Series - YC.16.08.0014, YC.16.09.0012, YC.16.10.0009 Aruba 2530YB Switch Series - YB.16.08.0014, YB.16.09.0012, YB.16.10.0009 Aruba 2530YA Switch Series - YA.16.08.0014, YA.16.09.0012, YA.16.10.0009 Aruba 5400 zl Switch Series - K.16.02.0031 Aruba 3800 Switch Series - KA.16.04.0020 Aruba 2915 Switch Series - A.15.16.0022 Aruba 2620 Switch Series - RA.16.04.0020 Aruba 2615 Switch Series - A.15.16.0002 HPE 8200 zl Switch Series - K.15.18.0023 HPE 6600 Switch Series - K.15.18.0023 HPE 6200 yl Switch Series - K.15.18.0023 HPE 3500 and 3500 yl Switch Series - K.16.02.0031 Discovery ========= These vulnerabilities were discovered by researchers Shlomi Oberman and Moshe Kol. Workarounds =========== The vulnerabilities listed above are exploited through network traffic directed to an IP address of the switch itself; network traffic simply passing through the switch does not trigger any vulnerability. Therefore, the following workarounds are recommended: - Do not make switch interfaces directly accessible from the Internet - Segment switch management IP addresses from untrusted users. A dedicated management network is recommended. - Use firewall rules or ACLs to block IP-in-IP traffic directed to the switch. The most serious vulnerability, CVE-2020-11896, depends on IP-in-IP tunneling. CVE-2020-11900 also depends on IP-in-IP tunneling. You may be able to use the "deny ip-in-ip" directive in a switch ACL to achieve this outcome; contact Technical Support if you need assistance. - Use firewall rules or ACLs to block ICMPv4 traffic directed to the switch. CVE-2020-11898 depends on ICMPv4. You may be able to use the "deny icmp" directive in a switch ACL to achieve this outcome; contact Technical Support if you need assistance. Exploitation and Public Discussion ================================== This vulnerability is being widely discussed in public. Proof of concept code has been developed, but has not been widely shared. A research paper is available describing the vulnerabilities and attack techniques. Revision History ================ Revision 1 / 2020-June-23 / Initial Release Revision 2 / 2020-July-02 / Updated affected products and resolution Revision 3 / 2020-July-06 / Updated affected products and resolution Revision 4 / 2020-August-04 / Updated resolution for legacy products and updated CVE# in ICMPv4 workaround Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2020 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAl8objQACgkQmP4JykWF htmiAgf9H8PZXN6ULr1+Fu3yPgUwu6/Tzu48RM0t5YZCac57KOMucfk/wlUtdN6y FHnLTBCYDkEuJVWn3EWa9GehRZXqP69+gnPDFcvJiIwS4YXAGfha3Ryx3s7hJmUs PtQfbKtQ4E16iC+z2F8YQqAjyxEGbMsWNXG410lGWC/9Eu2OJMupY73zwgD36xnN 3Uf9r3p9IsvO4nHSnpZi0j5FPJXnivQ7TCr6NFYRVWmY05oSsxInCbA3DxX6Gw7V P7FyuCpUWsejHMuRbNDDLU38g2XcOvFfcS11qXIbbyYpAQJef7CGUvNPLFO6/GSI 1o+Iqo+8fcF+mlgqHbz4/l8XE5HbXw== =ZRKl -----END PGP SIGNATURE-----