-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory 
=============================== 
Advisory ID: ARUBA-PSA-2020-012
CVE: CVE-2020-10713, CVE-2020-24633, CVE-2020-24634, CVE-2020-24637 
Publication Date: 2020-Dec-08
Status: Confirmed 
Revision: 1 


Title 
=====
ArubaOS Multiple Vulnerabilities 
  

Overview 
======== 
Aruba has released patches for ArubaOS that address multiple  security
vulnerabilities.


Affected Products 
=================
ArubaOS Mobility Conductor (formerly Mobility Master),  Aruba Mobility
Controllers, Access-Points when managed by  Mobility  Controllers  and
Aruba SD-WAN Gateways.

Affected versions: Not all vulnerabilities in this advisory affect  all
ArubaOS branches. If an ArubaOS  branch  is  not  listed  as  affected, 
it means that any ArubaOS version in that given branch is not affected.
For example, the 6.4.x.x and  6.5.x.x  branches  are  not  affected  by
CVE-2020-24634.

Aruba SD-WAN Gateways are also  affected,  regardless  if  they  are
managing Access-Points or not, given the  underlying  operating  system
is based on ArubaOS.


Details 
======= 

  Buffer Overflow Vulnerabilities in the PAPI protocol (CVE-2020-24633)  
  --------------------------------------------------------------------- 
    There are multiple buffer overflow vulnerabilities that could  lead 
    to unauthenticated remote  code  execution  by  sending  especially 
    crafted  packets  destined   to  the  PAPI   (Aruba   Networks   AP
    management  protocol)  UDP  port   (8211)   of   access-points   or
    controllers. 

    Internal references:  ATLWL-87,  ATLWL-150,  ATLWL-151,  ATLWL-152,
    ATLWL-153, ATLWL-154, ATLWL-155, ATLWL-156 
    Severity: Critical 
    CVSSv3 Overall Score: 9.8 
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

    Discovery: These vulnerabilities were discovered  and  reported  by  
    Erik de  Jong  (bugcrowd.com/erikdejong)  via  Aruba's  Bug  Bounty  
    Program 

    Affected Versions: 
    ArubaOS 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13,  8.5.0.10,  8.6.0.5,
    8.7.0.0 and below 
    SD-WAN 2.1.0.1, 2.2.0.0 and below 

    Resolution: 
    ArubaOS 6.4.4.24, 6.5.4.18, 8.2.2.10, 8.3.0.14, 8.5.0.11,  8.6.0.6,
    8.7.1.0 and above 
    SD-WAN 2.1.0.2, 2.2.0.1 and above 


  Unauthenticated Remote Command Injection Vulnerability (CVE-2020-24634)  
  --------------------------------------------------------------------- 
    An attacker is  able  to  remotely  inject  arbitrary  commands  by 
    sending especially crafted  packets  destined to  the  PAPI  (Aruba 
    Networks AP Management protocol) UDP port (8211)  of  access-points
    or controllers.  

    Internal reference: ATLWL-84, ATLWL-144, ATLWL-149 
    Severity: Critical 
    CVSSv3 Overall Score: 9.8 
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

    Discovery: These vulnerabilities were discovered  and  reported  by  
    Erik de  Jong  (bugcrowd.com/erikdejong)  via  Aruba's  Bug  Bounty  
    Program 

    Affected Versions: 
    ArubaOS 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below 
    SD-WAN 2.1.0.1, 2.2.0.0 and below 

    Resolution: 
    ArubaOS 8.2.2.10, 8.3.0.14, 8.5.0.11, 8.6.0.6, 8.7.1.0 and above 
    SD-WAN 2.1.0.2, 2.2.0.1 and above  

  

  Secureboot Bypass vulnerability in 90xx series gateways (CVE-2020-10713, CVE-2020-24637)  
  --------------------------------------------------------------------- 
    Two vulnerabilities in ArubaOS GRUB2 implementation allows  for  an 
    attacker to bypass  secureboot.  Successful  exploitation  of  this 
    vulnerability this  could  lead  to  remote  compromise  of  system 
    integrity by allowing an attacker to load an untrusted or  modified 
    kernel. 

    Internal references: ATLWL-133, ATLWL-159 
    Severity: High 
    CVSSv3 Overall Score: 8.0 
    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 

    Discovery: CVE-2020-10713  aka:  BootHole  vulnerability  has  been  
    discovered and published by Eclypsium researchers Mickey Shkatov  & 
    Jesse Michael. 

    CVE-2020-24637 has been discovered  by  Nicholas  Starke  of  Aruba 
    Threat Labs 

    Affected Versions: 
    ArubaOS 8.5.0.10, 8.6.0.5, 8.7.0.0 and below 
    SD-WAN 2.1.0.1, 2.2.0.0 and below 

    Resolution: 
    ArubaOS 8.5.0.11, 8.6.0.6, 8.7.1.0 and above
    SD-WAN 2.1.0.2, 2.2.0.1 and above


Resolution 
========== 
In order  to  address  the  vulnerabilities  described  above  for  the
affected release branches, it is recommended to upgrade the software to
the following versions (where applicable):

ArubaOS  6.4.4.24, 6.5.4.18,  8.2.2.10,  8.3.0.14,  8.5.0.11,  8.6.0.6,
8.7.1.0 and above 
SD-WAN 2.1.0.2, 2.2.0.1 and above

As a general rule, we do not evaluate or patch  ArubaOS  branches  that
have reached their End of Support (EoS) milestone.  However  given  how
recently ArubaOS 8.2.x.x  reached  EoS,  we  decided  to  evaluate  and
provide a patch for this branch.
For more information about Aruba's End of Support policy visit:
https://www.arubanetworks.com/support-services/end-of-life/

  

Workarounds 
===========
In order to minimize the likelihood of an  attacker  to  exploit  these 
vulnerabilities,  Aruba  recommends  that  the  communication   between 
Controller/ Gateways and  Access-Points  to  be  restricted  either  by 
having a dedicated layer 2 segment/ VLAN or, if  Controller /  Gateways 
and Access-Points cross layer 3 boundaries, to have  firewall  policies 
restricting the communication of these authorized devices.
Also, enabling the Enhanced  PAPI Security  feature  will  prevent  the
vulnerabilities above from being exploited.
Contact Aruba Support for configuration assistance. 


Revision History 
================ 
Revision 1 / 2020-Dec-08 / Initial release 


Aruba SIRT Security Procedures  
============================== 
Complete information on reporting  security  vulnerabilities  in  Aruba 
Networks products, obtaining  assistance  with  security  incidents  is 
available at:  

http://www.arubanetworks.com/support-services/security-bulletins/  

For reporting *NEW* Aruba Networks security issues, email can  be  sent 
to aruba-sirt(at)hpe.com. For sensitive information  we  encourage  the 
use of PGP encryption. Our public keys can be found at:    

http://www.arubanetworks.com/support-services/security-bulletins/    

(c) Copyright 2020 by Aruba, a Hewlett Packard Enterprise company.  

This advisory may be redistributed freely after the release date  given  
at the top of the text, provided  that  the  redistributed  copies  are  
complete and unmodified, including all data and version information.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE7HSZiT3iMFF7nMlwT9kZlgPfSYQFAl/GkW0ACgkQT9kZlgPf
SYR7Kg/8CcnT9ZV0noclso/NKUPKUG/uaGT1ZRtV6N5ngyFKUX1zwu14gZRCxSrE
UZta3lciM5CyQh22QElO22+kTCGaNaI7OzP5Ul5p6v6ovovcdew7vuSpYBg9+hP5
afh96R1gnzq2nXwvL6TQCZ46pHlpEneamp/pIyXsMPbw8SWXPGM3/ycLjHguDro7
eS+wdZw4eRTuc0A21E1ZPNrSdpLiHI85hjIHKj/0056u1KgTzwUsgvTN4H1+AzUg
buHJzYpA8HKNLvkTDm6C3l1bC0DaD1OWl/leOXuh24BhSyJf8sIZRoKbVTaTpj4Q
2u9aMTNisWznHRC70HdGRg4PeKWC5RzYsMj7lmdiFIrPU3dPM4BQkj9W2fAfM63G
Sa65jQXHuW+9Cog+wb9Gf/lN5kKdQiVGrzJr30iSC6EM7ykWG0JgTMcZoueX0KvN
oJ+A06Ekn5CLz9MQc6dVaFYIp7Zqd5+QrOaVgG9Zrf8cmcZAt40g1BMZ0is2fYmM
3bE7ymI8OAnvktYNI6UK7EHAHcHMEwqWypKl9VrO8VW0rmczGc4+OqIAv9OhhvWG
pfSS3l/RhEm9vfyOS2UZQ6wk6s/J+1CwwX9qvEld+okGy6nCSdWrybAfr5M1cb0z
3/D36Nl2ivzPcsVUep7ukQsMny1QVzp1tcmX8llq+R55vVAc/jA=
=3VDK
-----END PGP SIGNATURE-----