-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Aruba Product Security Advisory ================================== Advisory ID: ARUBA-PSA-2021-005 CVE: CVE-2021-26960, CVE-2021-26961, CVE-2021-26962, CVE-2021-26963, CVE-2021-26964, CVE-2021-26965, CVE-2021-26966, CVE-2021-26967, CVE-2021-26968, CVE-2021-26969, CVE-2021-26970, CVE-2021-26971 Publication Date: 2021-Feb-23 Last Updated: 2021-Mar-02 Status: Confirmed Revision: 2 Title ===== AirWave Management Platform Multiple Vulnerabilities Overview ======== Aruba has released updates to the AirWave Management Platform that address multiple security vulnerabilities. Affected Products ================= AirWave Management Platform prior to 8.2.12.0 Details ======= AirWave Web-based Management Interface Cross-Site Request Forgery Vulnerability (CVE-2021-26960, CVE-2021-26961) --------------------------------------------------------------------- A vulnerability in the AirWave web-based management interface could allow an unauthenticated remote attacker to conduct a CSRF attack against a vulnerable system. A successful exploit would consist of an attacker persuading an authorized user to follow a malicious link, resulting in arbitrary actions being carried out with the privilege level of the targeted user. Internal references: ATLAW-127, ATLAW-56 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by S4thi5h (bugcrowd.com/S4thi5h) and rceman (bugcrowd.com/rceman) via Aruba's Bug Bounty Program Resolution: Fixed in AirWave AMP 8.2.12.0 and above Authenticated Remote Command Injection in AirWave CLI (CVE-2021-26962, CVE-2021-26963) --------------------------------------------------------------------- Vulnerabilities in the AirWave CLI could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to full system compromise. Internal references: ATLAW-154, ATLAW-137, ATLAW-135, ATLAW-130, ATLAW-126, ATLAW-116 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Resolution: Fixed in AirWave AMP 8.2.12.0 and above AirWave Web-based Management Interface Improper Access Control Vulnerability (CVE-2021-26964) --------------------------------------------------------------------- A vulnerability in the AirWave web-based management interface could allow an authenticated remote attacker to improperly access and modify devices and management user details. A successful exploit would consist of an attacker using a lower privileged account to change management user or device details. This could allow the attacker to escalate privileges and/or change network details that they should not have access to. Internal references: ATLAW-89, ATLAW-88, ATLAW-86, ATLAW-84, ATLAW-83, ATLAW-82, ATLAW-77 Severity: High CVSSv3 Overall Score: 7.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N Discovery: This vulnerability was discovered and reported by Satish Bommisetty (bugcrowd.com/satishb3, @satishb3) via Aruba's Bug Bounty Program Resolution: Fixed in AirWave AMP 8.2.12.0 and above SQL Injection Vulnerabilities in AirWave API Interface (CVE-2021-26965, CVE-2021-26966) --------------------------------------------------------------------- Multiple vulnerabilities in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database. Internal references: ATLAW-148, ATLAW-147, ATLAW-145, ATLAW-144, ATLAW-122, ATLAW-70 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Resolution: Fixed in AirWave AMP 8.2.12.0 and above Reflected Cross-Site Scripting Vulnerability (XSS) in AirWave Web-based Management Interface (CVE-2021-26967) --------------------------------------------------------------------- A vulnerability in the web-based management interface of AirWave could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of certain components of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the AirWave management interface. Internal references: ATLAW-57 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by S4thi5h (bugcrowd.com/S4thi5h) via Aruba's Bug Bounty Program Resolution: Fixed in AirWave AMP 8.2.11.0 and above Authenticated Stored Cross-Site Scripting Vulnerability (XSS) in AirWave Web-based Management Interface (CVE-2021-26968) --------------------------------------------------------------------- A vulnerability in the web-based management interface of AirWave could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal references: ATLAW-90, ATLAW-87, ATLAW-85 Severity: Medium CVSSv3 Overall Score: 5.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Satish Bommisetty (bugcrowd.com/satishb3, @satishb3) via Aruba's Bug Bounty Program Resolution: Fixed in AirWave AMP 8.2.11.1 and above Authenticated XML External Entity (XXE) Vulnerability in AirWave Web-based Management Interface (CVE-2021-26969) --------------------------------------------------------------------- Due to improper restrictions on XML entities a vulnerability exists in the web-based management interface of AirWave. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition. Internal references: ATLAW-81 Severity: Medium CVSSv3 Overall Score: 5.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Resolution: Fixed in AirWave AMP 8.2.11.0 and above Authenticated Remote Command Injection in AirWave Web-based Management Interface (CVE-2021-26970, CVE-2021-26971) --------------------------------------------------------------------- Vulnerabilities in the AirWave web-base management interface could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a lower privileged user on the underlying operating system leading to partial system compromise. Internal references: ATLAW-149, ATLAW-142, ATLAW-140, ATLAW-134, ATLAW-129, ATLAW-123, ATLAW-98 Severity: Medium CVSSv3 Overall Score: 4.7 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Resolution: Fixed in AirWave AMP 8.2.12.0 and above Resolution ========== Upgrade AirWave Management Platform to 8.2.12.0 and above. Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Revision History ================ Revision 1 / 2021-Feb-23 / Initial release Revision 2 / 2021-Mar-02 / Corrected CVE numbers with Mitre Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCgA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmA5YaEXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtlWfgf+M0zXizJ+L7SReS+XugdADUd4 jgDFBFDm7/UO8LrS8uNh+YsBdHR+Npv6fKwJDUFBkzhdiL8EfmlDoOPsL3SrSBPo p64ghQlsojd3tCQq6SDljOotDTeI2reEwjbOGVwjjVu+jigTbvzXyJBG/jQL5Ix1 hdEyZbKZnmKvAdJ4lqSpFSIWxxfvl1qHax36JMomG0gHCyL6emCV5pn/nBmBFkDi P2eJYFyB6sxM35BUN0cE7NUQf95NRQzyPL2OpsOCGSxZHvmaJ/7ZfG9lkLiSvLib 1MBzhl8vwzIlRl5CXocoMolpGtQPeSiEwNNMbbLAjS+MZY757ODPMH/TzchhIQ== =mVqR -----END PGP SIGNATURE-----