-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2020-011 CVE: CVE-2020-7124, CVE-2020-7125, CVE-2020-7126, CVE-2020-7127, CVE-2020-7128, CVE-2020-7129, CVE-2020-24631, CVE-2020-24632 Publication Date: 2020-Oct-20 Status: Confirmed Revision: 1 Title ===== AirWave Glass Multiple Vulnerabilities Overview ======== Aruba has released updates to Airwave Glass that address multiple security vulnerabilities. Affected Products ================= AirWave Glass 1.3.1 and below Details ======= RCE via unauthenticated exposure of services (CVE-2020-7127, CVE-2020-7128) --------------------------------------------------------------------- Two Airwave Glass vulnerabilities expose container orchestration services in an unauthenticated manner. These allow for remote code execution and could be leveraged by an attacker to eventually achieve complete host compromise. Internal references: ATLAW-65, ATLAW-68 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Resolution: Fixed in Glass 1.3.2 and above Remote unauthorized access to container orchestration system (CVE-2020-7124) --------------------------------------------------------------------- Airwave Glass has a vulnerability which allows for gaining access to the container orchestration system in an unauthorized manner. Attackers with access to the web management interface can leverage this to eventually achieve complete host compromise. Internal reference: ATLAW-58 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Resolution: Fixed in Glass 1.3.0 and above Authenticated privilege escalation via broken access control (CVE-2020-7125) --------------------------------------------------------------------- Lower privileged read-only users in Airwave Glass can add users or alter higher privileged user properties due to broken access control. This allows for lower privileged users to escalate to administrative access. Internal references: ATLAW-61, ATLAW-79 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Resolution: Fixed in Glass 1.3.2 and above Authenticated high privileged command execution via glassadmin cli (CVE-2020-7129, CVE-2020-24631, CVE-2020-24632) --------------------------------------------------------------------- Multiple authenticated remote command executions are possible in Airwave Glass via the glassadmin cli. These allow for a user with glassadmin privileges to execute arbitrary code as root on the underlying host operating system. Internal references: ATLAW-102, ATLAW-103, ATLAW-104, ATLAW-114 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Resolution: Fixed in Glass 1.3.2 and above Unauthenticated SSRF in Grafana (CVE-2020-7126) --------------------------------------------------------------------- Airwave Glass exposes an unauthenticated endpoint in the Grafana subsystem that can be misused to create a Server Side Request Forgery attack. This can be used to potentially leak data from internal system endpoints and impact can depend upon how the system is deployed. Internal reference: ATLAW-62 Severity: Medium CVSSv3 Overall Score: 5.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Resolution: Fixed in Glass 1.3.0 and above Resolution ========== 1. Upgrade Airwave Glass to 1.3.2 and above Workarounds =========== None Revision History ================ Revision 1 / 2020-Oct-20 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2020 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7HSZiT3iMFF7nMlwT9kZlgPfSYQFAl+JqSYACgkQT9kZlgPf SYRovRAAiHa9ggiVIBv+w/98f6SXckDOtkvSxil8k3IsYhwpfcAhycf2NndEQAgZ dx2ztZQPqqrEPbj0HoXhv4nwwGHkPJvg1tRPxswffeWk2lhiSGj4135lCluohYgP qxuq2hv75fFe1f+vuh0VvTS4jePiYaaMWJdug7NSXoVraAjeNYaZ1P3NpH5UnWWe N/EQ6TO5R+lVsW1wR0/TtqjenbYnV7QgcpJtqFbtYRgxFJmv0iKfvtYzGkIPS3th UiQamYk6fAtu1CXmPWrlnbtr8aljlHWlp3ROTK9HlH6GJjkC/6Krhza5b9p1ompo VvqKfqQ9SIBNOS95UNbYyMIsJ3FldrZbJ0XQECvL5frcB7Z1Dop7Y/XJbOMOCUqJ oZBlR7wtzjds8QZ4e4eMLy94xJzY9iJvkt5yMtuDmE8rktfFxA+3Ux5Ju4Hlf2vL p+2q/htBkcnjPcv2XPCH4lb5qkCvuFgqR+FIlLf9AST8kvM/b/YiynAy4mgZEKal NGrMEccJC6BSFPH6HAeovfUCMHouM8xWQ5AW5KL3tUJ3mX7fn82TXYvyej671sgZ e4nUE1kXUJAtmH4eq5YnmRLRPcFesUNneO82UYhIfy+GqEt/NP2qCdVswQiFu1ww BiZCekB8K3l/ZIX/8S0GiLoku3hjWHjOODCKgzcCGkqSAtueRtk= =LwtY -----END PGP SIGNATURE-----