-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory 
================================== 
Advisory ID: ARUBA-PSA-2021-006
CVE: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684
CVE-2020-25685, CVE-2020-25686, CVE-2020-25687 
Publication Date: 2021-Feb-23 
Status: Confirmed 
Severity: Low
Revision: 1 


Title 
===== 
Multiple Vulnerabilities in dnsmasq 


Overview 
========
Seven new vulnerabilities were reported in the open-source component
dnsmasq. 
This collection of vulnerabilities has been made public under the name
DNSpooq.

Successful exploitation of four of these vulnerabilities could result
in either remote code execution (RCE) or cause a denial of service
(DoS) condition in affected devices. These vulnerabilities are: 
   CVE-2020-25681 
   CVE-2020-25682 
   CVE-2020-25683 
   CVE-2020-25687 

The other three vulnerabilities could allow an attacker to achieve DNS
Cache Poisoning Attacks.  
These types of attacks can be used to redirect traffic to malicious IP
addresses. 
These vulnerabilities are: 
   CVE-2020-25684 
   CVE-2020-25685 
   CVE-2020-25686 
  

Unaffected Products 
=================== 
All Aruba products are not affected by the following vulnerabilities: 
   CVE-2020-25681 
   CVE-2020-25682 
   CVE-2020-25683
   CVE-2020-25687 


Affected Products 
=================
Aruba Mobility Controllers, Access Points when managed by Mobility
Controllers, Aruba SD-WAN Gateways and Aruba Instant Access Points
using all supported firmware releases at time of original advisory
publication are affected by the following vulnerabilities: 
   CVE-2020-25684 
   CVE-2020-25685 
   CVE-2020-25686

Aruba views these vulnerabilities as low severity.

Other Aruba products not listed above, including Aruba Instant On
are not affected by these vulnerabilities.


Details 
=======
dnsmasq is used by the affected ArubaOS products (Aruba Mobility
Controllers, Access Points when managed by
Mobility Controllers, Aruba SD-WAN Gateways) to provide DNS proxy/DNS 
resolution for captive portal users or when the "Redirect DNS Server"
feature is enabled. For Captive Portal, while in a pre-authenticated
state, the process accepts DNS queries from captive portal users and
returns the IP address of the mobility controller.

dnsmasq is used by Aruba Instant as a DNS proxy for many commonly
used deployment architectures.
  
  Internal Reference: ASIRT-252 
  Severity: Low 
  CVSSv3 Overall Score: 3.7 
  CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 

Aruba analyzed and tested these vulnerabilities in the affected
products.
We found that the possibility of a successful DNS Cache
Poisoning attack as described in the CVEs to be very unlikely.
Scenarios we found vulnerable included environmental conditions,
beyond configuration parameters, that an attacker may not be able
to manipulate.


Resolution 
==========
Given the low severity CVSS Score and the difficulty of exploiting
these vulnerabilities, Aruba is treating them as very low priority.
Aruba will be updating dnsmasq (to version 2.83 or higher) in
future routine maintenance patches.

This advisory will be updated with version information as they
become available.
  

Workarounds 
=========== 
ArubaOS/ SD-WAN: Systems which do not have captive portal or the
"Redirect DNS Server" functionalities enabled may safely use
firewall rules to block access to UDP port 53 destined to the
controller. Aruba recommends "service ACLs" to implement blocking
rules. 
Service ACLs are documented in the ArubaOS User Guide and in the
ArubaOS Security Hardening Guide, both of which are available
for download from the Aruba support portal.
If the "Redirect DNS Server" feature is enabled: Have more than
one DNS server configured for each SSID that uses this feature.

Aruba Instant:
Have more than one DNS server configured for each SSID.

Contact Aruba TAC for any configuration assistance. 

  
Exploitation and Public Discussion 
================================== 
These vulnerabilities are being widely discussed in public. 
Aruba is not aware of any exploitation tools or techniques that
specifically target Aruba products. 


Discovery 
========= 
These vulnerabilities were discovered by researchers Shlomi Oberman
and Moshe Kol. 


Revision History 
================ 
Revision 1 / 2021-Feb-23 / Initial release 


Aruba SIRT Security Procedures  
============================== 
Complete information on reporting  security  vulnerabilities  in  Aruba 
Networks products, obtaining  assistance  with  security  incidents  is 
available at:  

http://www.arubanetworks.com/support-services/security-bulletins/  


For reporting *NEW* Aruba Networks security issues, email can  be  sent 
to aruba-sirt(at)hpe.com. For sensitive information  we  encourage  the 
use of PGP encryption. Our public keys can be found at:  

http://www.arubanetworks.com/support-services/security-bulletins/  

  

(c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company.  
This advisory may be redistributed freely after the release date  given  
at the top of the text, provided  that  the  redistributed  copies  are  
complete and unmodified, including all data and version information.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmAu698ACgkQmP4JykWF
htmK+wf7BZiuBedqzl6i5WtYCTNid7dD5oczk3rOuDo/oHXmk/XHcyrRUank/Pwl
zlhDtSt/9VF57sZKj6zTSQ03oSWNbaSIsNZfXrE4z6AkxfEBiW5KP3O2CVdSnMsu
jstD1hMLkk9n2xfhqz2NrxW/iPAG89vcxSUsWdXIVpJr076sbO7vU5xro3V9XGxU
KggC04gaocZY9hqw9SGPliZfvNcmFrTzF3S6GDH/fEmY59yZZgtR+U6jQt38HW0e
4HarY3aOrS722IGqYr3TWABSvcCHgncjNN4hHHqGAg36dSUW/7ukXiIv3fGokmJJ
fQhjNwippzsBjz8RslHDSBM/SyNVyA==
=tjvD
-----END PGP SIGNATURE-----