-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-007 CVE: CVE-2019-5317, CVE-2019-5319, CVE-2020-24635, CVE-2020-24636, CVE-2021-25143, CVE-2021-25144, CVE-2021-25145, CVE-2021-25146, CVE-2021-25148, CVE-2021-25149, CVE-2021-25150, CVE-2021-25155, CVE-2021-25156, CVE-2021-25157, CVE-2021-25158, CVE-2021-25159, CVE-2021-25160, CVE-2021-25161, CVE-2021-25162, CVE-2021-34617, CVE-2021-34618 Publication Date: 2021-Mar-09 Last Updated: 2021-Jul-13 Status: Confirmed Severity: Critical Revision: 4 Title ===== Aruba Instant (IAP) Multiple Vulnerabilities Overview ======== Aruba has released patches for Aruba Instant that address multiple security vulnerabilities. Affected Products ================= Aruba Instant Access Points Affected versions: Not all vulnerabilities in this advisory affect all Aruba Instant branches. If an Aruba Instant branch is not listed as affected, it means that any Aruba Instant version in that given branch is not affected. For example, the 6.4.x.x and 6.5.x.x branches are not affected by CVE-2021-25143. Unaffected Products =================== Aruba Mobility Conductor (formerly Mobility Master), Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways are not affected by these vulnerabilities. Aruba Instant On is also not affected by these vulnerabilities. Details ======= Buffer Overflow Vulnerabilities in the PAPI protocol (CVE-2019-5319, CVE-2021-25144, CVE-2021-25149) --------------------------------------------------------------------- There are multiple buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal references: ATLWL-104, ATLWL-137, ATLWL-160 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by a collaboration between Comcast CyberSecurity / SSC and River Loop Security and separately by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workarounds: Block access to the Aruba Instant device IP address on port UDP/8211 from all untrusted users. Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.16 and below - Aruba Instant 8.3.x: 8.3.0.12 and below - Aruba Instant 8.5.x: 8.5.0.6 and below - Aruba Instant 8.6.x: 8.6.0.2 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and above - Aruba Instant 6.5.x: 6.5.4.17 and above - Aruba Instant 8.3.x: 8.3.0.13 and above - Aruba Instant 8.5.x: 8.5.0.7 and above - Aruba Instant 8.6.x: 8.6.0.3 and above - Aruba Instant 8.7.x: 8.7.0.0 and above Authenticated Arbitrary Remote Command Execution (CVE-2021-25150) --------------------------------------------------------------------- An authenticated command injection vulnerability exists in the Aruba Instant command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying host operating system. Internal references: ATLWL-95, ATLWL-114, ATLWL-135 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by a collaboration between Comcast CyberSecurity / SSC and River Loop Security and separately by Daniel Jensen (@dozernz) and Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Block access to the Aruba Instant Command Line Interface from all untrusted users. Affected Versions: - Aruba Instant 6.5.x: 6.5.4.17 and below - Aruba Instant 8.3.x: 8.3.0.13 and below - Aruba Instant 8.5.x: 8.5.0.10 and below - Aruba Instant 8.6.x: 8.6.0.4 and below Resolved Versions: - Aruba Instant 6.5.x: 6.5.4.18 and above - Aruba Instant 8.3.x: 8.3.0.14 and above - Aruba Instant 8.5.x: 8.5.0.11 and above - Aruba Instant 8.6.x: 8.6.0.5 and above - Aruba Instant 8.7.x: 8.7.0.0 and above Authenticated Arbitrary File Write via CLI (CVE-2021-25148) --------------------------------------------------------------------- A vulnerability exists that allows an authenticated attacker to overwrite an arbitrary file with attacker-controlled content via the Command Line Interface. Successful exploitation of this vulnerability leads to overwrite of sensitive system files. Internal reference: ATLWL-109 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by a collaboration between Comcast CyberSecurity / SSC and River Loop Security and separately by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Workaround: Block access to the Aruba Instant Command Line Interface from all untrusted users. Affected Versions: - Aruba Instant 6.5.x: 6.5.4.17 and below - Aruba Instant 8.3.x: 8.3.0.13 and below - Aruba Instant 8.5.x: 8.5.0.10 and below - Aruba Instant 8.6.x: 8.6.0.4 and below Resolved Versions: - Aruba Instant 6.5.x: 6.5.4.18 and above - Aruba Instant 8.3.x: 8.3.0.14 and above - Aruba Instant 8.5.x: 8.5.0.11 and above - Aruba Instant 8.6.x: 8.6.0.5 and above - Aruba Instant 8.7.x: 8.7.0.0 and above Unauthenticated Command Injection via DHCP Options (CVE-2020-24636) --------------------------------------------------------------------- There is a command injection vulnerability in affected Aruba Instant versions. This vulnerability can be exploited without authentication provided an attacker controls the DHCP server. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal references: ATLWL-136 Severity: High CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Workaround: None. Affected Versions: - Aruba Instant 6.5.x: 6.5.4.17 and below - Aruba Instant 8.3.x: 8.3.0.13 and below - Aruba Instant 8.5.x: 8.5.0.10 and below - Aruba Instant 8.6.x: 8.6.0.5 and below - Aruba Instant 8.7.x: 8.7.0.0 and below Resolved Versions: - Aruba Instant 6.5.x: 6.5.4.18 and above - Aruba Instant 8.3.x: 8.3.0.14 and above - Aruba Instant 8.5.x: 8.5.0.11 and above - Aruba Instant 8.6.x: 8.6.0.6 and above - Aruba Instant 8.7.x: 8.7.1.0 and above Unauthenticated Denial of Service via PAPI Protocol (CVE-2021-25143) --------------------------------------------------------------------- An unauthenticated Denial of Service vulnerability exists in affected Aruba Instant access points. This vulnerability can be exploited through the PAPI protocol and successful exploitation results in a system reboot. By repeatedly exploiting the vulnerability, an attacker can deny service to legitimate users. Internal references: ATLWL-138 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Comcast and Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Block access to the Aruba Instant device IP address on port UDP/8211 from all untrusted users. Affected Versions: - Aruba Instant 8.3.x: 8.3.0.12 and below - Aruba Instant 8.5.x: 8.5.0.9 and below - Aruba Instant 8.6.x: 8.6.0.4 and below Resolved Versions: - Aruba Instant 8.3.x: 8.3.0.13 and above - Aruba Instant 8.5.x: 8.5.0.10 and above - Aruba Instant 8.6.x: 8.6.0.5 and above - Aruba Instant 8.7.x: 8.7.0.0 and above Unauthenticated Command Injection via Web UI (CVE-2021-25162) --------------------------------------------------------------------- An Unauthenticated Command Injection vulnerability exists within the Aruba Instant Web UI. Successful exploitation results in the execution of arbitrary commands on the underlying operating system. This vulnerability is only exploitable under very specific, non-standard configurations and in most cases would require another vulnerability in order to be exploitable. Internal reference: ATLWL-193 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Itai Greenhut (@Gr33nh4t) and Gal Zror (@waveburst) from Aleph Research (@alephsecurity). Workaround: Block access to the Aruba Instant Web Management Interface from all untrusted users. Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.7 and below - Aruba Instant 8.7.x: 8.7.1.1 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and above - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.12 and above - Aruba Instant 8.6.x: 8.6.0.8 and above - Aruba Instant 8.7.x: 8.7.1.2 and above Authenticated Arbitrary File Write via Web UI (CVE-2021-25155) --------------------------------------------------------------------- A vulnerability exists that allows an authenticated attacker to overwrite an arbitrary file with attacker-controlled content via the Web UI. Successful exploitation of this vulnerability leads to overwrite of sensitive system files. Internal reference: ATLWL-186 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Itai Greenhut (@Gr33nh4t) and Gal Zror (@waveburst) from Aleph Research (@alephsecurity). Workaround: Block access to the Aruba Instant Web Management Interface from all untrusted users. Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.6 and below - Aruba Instant 8.7.x: 8.7.1.0 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and above - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.12 and above - Aruba Instant 8.6.x: 8.6.0.7 and above - Aruba Instant 8.7.x: 8.7.1.1 and above Authenticated Remote Command Execution (CVE-2020-24635, CVE-2021-25146) --------------------------------------------------------------------- An authenticated command injection vulnerability exists in the Aruba Instant command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying access point operating system. Internal references: ATLWL-74, ATLWL-99 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Block access to the Aruba Instant Command Line Interface from all untrusted users. Affected Versions: - Aruba Instant 6.5.x: 6.5.4.17 and below - Aruba Instant 8.3.x: 8.3.0.13 and below - Aruba Instant 8.5.x: 8.5.0.10 and below - Aruba Instant 8.6.x: 8.6.0.5 and below - Aruba Instant 8.7.x: 8.7.0.0 and below Resolved Versions: - Aruba Instant 6.5.x: 6.5.4.18 and above - Aruba Instant 8.3.x: 8.3.0.14 and above - Aruba Instant 8.5.x: 8.5.0.11 and above - Aruba Instant 8.6.x: 8.6.0.6 and above - Aruba Instant 8.7.x: 8.7.1.0 and above Authentication Bypass (CVE-2019-5317) --------------------------------------------------------------------- An attacker with physical access to the affected device can bypass authentication mechanisms and thereby gain access to the Aruba Instant command line interface. This results in access point compromise at the command line interface level. Internal references: ATLWL-174 Severity: Medium CVSSv3 Overall Score: 6.8 CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Robert Vinson (@GenerousDram). Workaround: None. Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below - Aruba Instant 6.5.x: 6.5.4.15 and below - Aruba Instant 8.3.x: 8.3.0.11 and below - Aruba Instant 8.4.x: 8.4.0.5 and below - Aruba Instant 8.5.x: 8.5.0.6 and below - Aruba Instant 8.6.x: 8.6.0.2 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.19 and above - Aruba Instant 6.5.x: 6.5.4.16 and above - Aruba Instant 8.3.x: 8.3.0.12 and above - Aruba Instant 8.4.x: 8.4.0.6 and above - Aruba Instant 8.5.x: 8.5.0.7 and above - Aruba Instant 8.6.x: 8.6.0.3 and above - Aruba Instant 8.7.x: 8.7.0.0 and above Unauthenticated Denial of Service via LLDP Protocol (CVE-2021-34618) --------------------------------------------------------------------- An unauthenticated Denial of Service vulnerability exists in affected Aruba Instant access points. Exploitation of this vulnerability is only possible via direct ethernet connection to the access point. This vulnerability can be exploited through the LLDP protocol and successful exploitation results in the unavailability of the affected access point due to resource exhaustion. Internal references: ATLWL-211 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group Workaround: None Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.4.x: All versions - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.7 and below - Aruba Instant 8.7.x: 8.7.1.1 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.19 and above - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.12 and above - Aruba Instant 8.6.x: 8.6.0.8 and above - Aruba Instant 8.7.x: 8.7.1.2 and above Authenticated Reflected Cross-Site Scripting (CVE-2021-25161) --------------------------------------------------------------------- A vulnerability in the web-based management interface of Aruba Instant could allow an authenticated remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal reference: ATLWL-192 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Itai Greenhut (@Gr33nh4t) and Gal Zror (@waveburst) from Aleph Research (@alephsecurity). Workaround: Block access to the Aruba Instant Web Management Interface from all untrusted users. Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.7 and below - Aruba Instant 8.7.x: 8.7.1.1 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and above - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.12 and above - Aruba Instant 8.6.x: 8.6.0.8 and above - Aruba Instant 8.7.x: 8.7.1.2 and above Unauthenticated Reflected Cross-Site Scripting (CVE-2021-34617) --------------------------------------------------------------------- A vulnerability in the captive portal of Aruba Instant could allow an unauthenticated remote attacker to conduct a reflected cross-site scripting (XSS) attack against another user of the portal. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal reference: ATLWL-176 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Ramnath Shenoy from Content Security. Workaround: None Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.13 and below - Aruba Instant 6.5.x: 6.5.4.13 and below - Aruba Instant 8.3.x: 8.3.0.7 and below - Aruba Instant 8.4.x: 8.4.0.5 and below - Aruba Instant 8.5.x: 8.5.0.0 Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.14 and above - Aruba Instant 6.5.x: 6.5.4.14 and above - Aruba Instant 8.3.x: 8.3.0.8 and above - Aruba Instant 8.4.x: 8.4.0.6 and above - Aruba Instant 8.5.x: 8.5.0.1 and above - Aruba Instant 8.6.x: 8.6.0.0 and above - Aruba Instant 8.7.x: 8.7.0.0 and above Unauthenticated Arbitrary File Read via Race Condition Vulnerability (CVE-2021-25158) --------------------------------------------------------------------- An unauthenticated Arbitrary File Read vulnerability exists in affected Aruba Instant hosts. This vulnerability is the result of a race condition in the Web UI. Successful exploitation of this vulnerability results in the ability to read arbitrary files off the underlying filesystem, including sensitive system files. Internal reference: ATLWL-189 Severity: Medium CVSSv3 Overall Score: 5.9 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Itai Greenhut (@Gr33nh4t) and Gal Zror (@waveburst) from Aleph Research (@alephsecurity). Workaround: Block access to the Aruba Instant Web Management Interface from all untrusted users. Affected Versions: - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.7 and below - Aruba Instant 8.7.x: 8.7.1.1 and below Resolved Versions: - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.12 and above - Aruba Instant 8.6.x: 8.6.0.8 and above - Aruba Instant 8.7.x: 8.7.1.2 and above Authenticated Arbitrary Directory Create via Web UI (CVE-2021-25156) --------------------------------------------------------------------- An Authenticated Arbitrary Directory Creation vulnerability exists in affected Aruba Instant hosts. Successful exploitation of this vulnerability will result in a directory being created with the directory name controlled by the attacker. Internal reference: ATLWL-187 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Discovery: This vulnerability was discovered and reported by Itai Greenhut (@Gr33nh4t) and Gal Zror (@waveburst) from Aleph Research (@alephsecurity). Workaround: Block access to the Aruba Instant Web Management Interface from all untrusted users. Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.6 and below - Aruba Instant 8.7.x: 8.7.1.0 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and above - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.12 and above - Aruba Instant 8.6.x: 8.6.0.7 and above - Aruba Instant 8.7.x: 8.7.1.1 and above Authenticated Arbitrary File Read via Web UI (CVE-2021-25157) --------------------------------------------------------------------- An Authenticated Arbitrary File Read vulnerability exists in affected Aruba Instant hosts. Successful exploitation of this vulnerability results in an attacker being able to read any file off the underlying filesystem, including sensitive system files. Internal reference: ATLWL-188 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Itai Greenhut (@Gr33nh4t) and Gal Zror (@waveburst) from Aleph Research (@alephsecurity). Workaround: Block access to the Aruba Instant Web Management Interface from all untrusted users. Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.6 and below - Aruba Instant 8.7.x: 8.7.1.0 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and above - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.12 and above - Aruba Instant 8.6.x: 8.6.0.7 and above - Aruba Instant 8.7.x: 8.7.1.1 and above Authenticated Arbitrary File Write via Web UI to Specific Backup File (CVE-2021-25160) --------------------------------------------------------------------- An Authenticated Arbitrary File Write vulnerability exists in the Aruba Instant Web UI. Successful exploitation of this vulnerability allows an attacker to write arbitrary contents to a single specific backup file. This can result in corruption of the backup file. Internal reference: ATLWL-191 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N Discovery: This vulnerability was discovered and reported by Itai Greenhut (@Gr33nh4t) and Gal Zror (@waveburst) from Aleph Research (@alephsecurity). Workaround: Block access to the Aruba Instant Web Management Interface from all untrusted users. Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.7 and below - Aruba Instant 8.7.x: 8.7.1.1 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and above - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.12 and above - Aruba Instant 8.6.x: 8.6.0.8 and above - Aruba Instant 8.7.x: 8.7.1.2 and above Authenticated Arbitrary File Write via Web UI (CVE-2021-25159) --------------------------------------------------------------------- An Authenticated Arbitrary File Write vulnerability exists in affected Aruba Instant versions. This vulnerability is exploited through the Web Interface. Successful exploitation of this vulnerability allows an authenticated attacker to overwrite sensitive system files. Internal reference: ATLWL-190 Severity: Medium CVSSv3 Overall Score: 4.4 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N Discovery: This vulnerability was discovered and reported by Itai Greenhut (@Gr33nh4t) and Gal Zror (@waveburst) from Aleph Research (@alephsecurity). Workaround: Block access to the Aruba Instant Web Management Interface from all untrusted users. Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.7 and below - Aruba Instant 8.7.x: 8.7.1.1 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and above - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.12 and above - Aruba Instant 8.6.x: 8.6.0.8 and above - Aruba Instant 8.7.x: 8.7.1.2 and above Remote Unauthorized Disclosure of Information (CVE-2021-25145) --------------------------------------------------------------------- An unauthenticated information disclosure vulnerability exists in affected Aruba Instant access points. A successful attacker in the same wired network can exploit this vulnerability resulting in sensitive information disclosure. Internal references: ATLWL-184 Severity: Medium CVSSv3 Overall Score: 4.3 CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by Jeffrey Goff of Hewlett Packard Enterprise/Aruba Networks. Workaround: None. Affected Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.18 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.10 and below - Aruba Instant 8.6.x: 8.6.0.5 and below - Aruba Instant 8.7.x: 8.7.0.0 and below Resolved Versions: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.19 and above - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.11 and above - Aruba Instant 8.6.x: 8.6.0.6 and above - Aruba Instant 8.7.x: 8.7.1.0 and above Resolution ========== In order to address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions (where applicable): - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.19 and above - Aruba Instant 6.5.x: 6.5.4.19 and above - Aruba Instant 8.3.x: 8.3.0.15 and above - Aruba Instant 8.5.x: 8.5.0.12 and above - Aruba Instant 8.6.x: 8.6.0.8 and above - Aruba Instant 8.7.x: 8.7.1.2 and above Workaround ========== Workarounds are listed per vulnerability above. Contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public exploitation tools or techniques that target these specific vulnerabilities. Revision History ================ Revision 1 / 2021-Mar-09 / Initial release Revision 2/ 2021-Mar-19 / Updated Affected and Resolved versions for the 6.4.4.8-4.2.4.x branch in CVE-2019-5317, CVE-2019-5319, CVE-2021-25144, CVE-2021-25145 and CVE-2021-25149 Revision 3/ 2021-May-17 / Updated Resolved versions for CVE-2019-5317, CVE-2021-25145 Revision 4/ 2021-Jul-13 / Added details for CVE-2021-34617 and CVE-2021-34618 Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmDclTAXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtmLSQf+NrswErLKt0q2OAW2D+PBYJ2M aEO8gAbwrxE8lArujpQGzlEUfsFYSnxAsveOjoSlcKZzX7gMzlQuQVzRNzhD7bbl bBw3TEWCG1OiBw4GOlRt791ZhlPaNWLIy8guytyazeqy1ppK/IhWibnWgpmC0qfa LiqHfCdmEJVqGZlF6W/qDTmkYU8lVeEF+DmhYGticaV72iAbPKU0pVlCh8Uw98M4 Gc1dahNy/AbcHEy21ixllH4rHz5UHmjRZ3iCijXGd3VMde8sgDO3DCdU3I5B9jLP KWwMnUC0+tgOpzqAHdxqNmqSPGWpyyuWLrEalSzazFLya0SGn7bHz7hIKIHw9A== =XK9P -----END PGP SIGNATURE-----