-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
==================================
Advisory ID: ARUBA-PSA-2021-008
CVE:  CVE-2020-25705
Publication Date: 2021-Mar-09
Status: Confirmed
Severity: High
Revision: 1


Title
=====
SAD DNS side channel attack


Overview
========
A vulnerability made public under the name SAD DNS affects Domain Name 
System resolvers due to a vulnerability in the Linux kernel when 
handling ICMP packets. This vulnerability is present in some Aruba
products which are listed below. For more information please see 
https://www.saddns.net/


Affected Products
=================
All Aruba Instant Access Points running:
    - Aruba Instant 8.3.x: 8.3.0.14 and below
    - Aruba Instant 8.5.x: 8.5.0.11 and below
    - Aruba Instant 8.6.x: 8.6.0.7 and below
    - Aruba Instant 8.7.x: 8.7.1.1 and below

Hardware and Virtual implementations of ArubaOS Mobility Conductor
(formerly Mobility Master), Aruba Mobility Controllers, Access-Points
when managed by Mobility Controllers running:
    - ArubaOS 6.4.x: 6.4.4.24 and below
    - ArubaOS 6.5.x: 6.5.4.18 and below
    - ArubaOS 8.3.x: 8.3.0.14 and below
    - ArubaOS 8.5.x: 8.5.0.11 and below
    - ArubaOS 8.6.x: 8.6.0.7 and below
    - ArubaOS 8.7.x: 8.7.1.1 and below

Hardware and Virtual implementations of SD-WAN Gateways running:
    - ArubaOS 2.2.0.3 and below

Unaffected Products
===================
Other Aruba products not listed above are not affected by these
vulnerabilities.

  
Details
=======
A flaw in the way reply ICMP packets are limited in the Linux kernel
was found that allows for quick scanning of open UDP ports. This flaw 
allows an off-path remote user to effectively bypass source port UDP 
randomization. 

Although the vulnerability lies within the way the Linux kernel rate 
limits ICMP packets, the main impact from the SAD DNS attack would be 
on name resolution related services running on the affected Aruba
device. 
 
Internal references: ATLWL-198, ATLWL-199
Severity: High
CVSSv3 Overall Score: 7.4
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

  
Resolution
==========
Aruba Instant Access Points running:
    - Aruba Instant 8.3.x: 8.3.0.15 and above
    - Aruba Instant 8.5.x: 8.5.0.12 and above
    - Aruba Instant 8.6.x: 8.6.0.8 and above
    - Aruba Instant 8.7.x: 8.7.1.2 and above

Hardware and Virtual implementations of ArubaOS Mobility Conductor
(formerly Mobility Master), Aruba Mobility Controllers, Access-Points
when managed by Mobility Controllers running:
    - ArubaOS 6.4.x: 6.4.4.25 and above
    - ArubaOS 6.5.x: 6.5.4.19 and above
    - ArubaOS 8.3.x: 8.3.0.15 and above
    - ArubaOS 8.5.x: 8.5.0.12 and above
    - ArubaOS 8.6.x: 8.6.0.8 and above
    - ArubaOS 8.7.x: 8.7.1.2 and above

Hardware and Virtual implementations of SD-WAN Gateways running:
    - ArubaOS 2.2.0.4 and above


Workaround
==========
As this is a side channel attack it can be difficult to mitigate
exposure. However this attack was mostly targeting internet exposed
name servers, and not resources inside corporate environments.

Aruba always recommends that the CLI and web-based management
interfaces for the affected devices be restricted to a dedicated
layer 2 segment/VLAN and/or controlled by firewall policies at layer 3
where possible. 

For this specific vulnerability outgoing ICMP packets can be disabled 
using "service ACLs" to implement blocking rules. 

Contact Aruba TAC for any configuration assistance. 


Discovery
=========
This vulnerability was discovered and reported by Keyu Man, Zhiyun Qian, 
Zhongjie Wang, Xiaofeng Zheng, Youjun Huang and Haixin Duan in
Proceedings of ACM Conference on Computer and Communications Security
(CCS`20), November 9-13, 2020


Exploitation and Public Discussion
==================================
Aruba is not aware of any exploitation tools or techniques that
specifically target Aruba products.


Revision History
================
Revision 1 / 2021-Mar-09 / Initial release


Aruba SIRT Security Procedures 
==============================
Complete information on reporting security vulnerabilities in Aruba
Networks products, obtaining assistance with security incidents is
available at: 
 
http://www.arubanetworks.com/support-services/security-bulletins/ 
 
 
For reporting *NEW* Aruba Networks security issues, email can be sent
to aruba-sirt(at)hpe.com. For sensitive information we encourage the
use of PGP encryption. Our public keys can be found at: 
 
http://www.arubanetworks.com/support-services/security-bulletins/ 
 

(c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. 
This advisory may be redistributed freely after the release date  given 
at the top of the text, provided  that  the  redistributed  copies  are 
complete and unmodified, including all data and version information.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmBBOkkACgkQmP4JykWF
htl82Qf8DvHUL3ukayQDlqTy7TlnLuq32XL3RqrxLPfcmVv070Jn1CcmVvohssCW
gsbhDNKWgnKZhmW13LKo1tlsjQjWLgsoefcV9sHooOI0fDynWUqwrz5AB14P3+3w
5tTiwhJmz6m9kOogUJzqmfetOfhp+mYGfx8qUKTAj3YejRl7m6+Gr7UgyWtOVrwb
fwExeMcGsHAPrYiQnoQy8oN8umDt2BwQvWFgQ/3cdVFt5KRTrIPQ+GY8gYNv+C9a
E4noOPmz/1yJECHDzHXo4iW3QOsGe4C8HAvW/LLzOr+U7EAkV3LIuvWEQCtbThUx
bBhxipgSuG5bqJputPWnv0FSv3xByQ==
=GPNh
-----END PGP SIGNATURE-----