-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-013 CVE: CVE-2020-25705, CVE-2021-29143, CVE-2021-29148, CVE-2021-29149 Publication Date: 2021-July-13 Status: Confirmed Severity: High Revision: 1 Title ===== AOS-CX Devices Multiple Vulnerabilities Overview ======== Aruba has released updates for wired switch products running AOS-CX that address multiple security vulnerabilities. Affected Products ================= Aruba 8400/8360/8325/8320 switch series and Aruba 6400/6300/6200F switch series running the following version of the AOS-CX firmware: 10.04.xxxx - versions prior to 10.04.3070 10.05.xxxx - versions prior to 10.05.0070 10.06.xxxx - versions prior to 10.06.0110 10.07.xxxx - versions prior to 10.07.0001 Unaffected Products =================== Any other Aruba products not listed above, including Aruba Intelligent Edge Switches and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= SAD DNS Vulnerability (CVE-2020-25705) --------------------------------------------------------------------- A flaw in the way reply ICMP packets are limited in the Linux kernel was found that allows for quick scanning of open UDP ports. This flaw allows an off-path remote user to effectively bypass source port UDP randomization. Please refer to https://www.saddns.net/ for more details. Internal references: ATLAX-25 Severity: High CVSSv3 Overall Score: 7.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang and Haixin Duan in Proceedings of ACM Conference on Computer and Communications Security (CCS`20), November 9-13, 2020 Remote Code Execution Via External Storage (CVE-2021-29143) --------------------------------------------------------------------- A vulnerability in AOS-CX devices that would allow a potential attacker with admin credentials to perform command injection. This requires an external storage device to be connected to the switch. A successful exploitation of the allows the attacker to execute commands as root on the operating system, allowing a complete system compromise. Internal references: ATLAX-19, ATLAX-29 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. PHY Firmware Local Bypass Security Restrictions (CVE-2021-29149) --------------------------------------------------------------------- A vulnerability was discovered for AOS-CX devices that would allow an attacker to bypass local security restrictions via physical layer updates from the ISP. This requires the attacker to have administrative credentials and access to the ISP providing the update. This will allow the attacker to overwrite the existing firmware of the AOS-CX device with a malicious version. Internal references: ATLAX-22 Severity: Medium CVSSv3 Overall Score: 6.6 CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported internally. Path-relative Stylesheet Import (PRSSI) (CVE-2021-29148) -------------------------------------------------------------------- Due to the configuration of the web-based management interface, relative URLs within HTML pages may not specifically identify the right directory. It may allow unauthenticated attackers to potentially overwrite existing CSS paths and pass malicious CSS file references. This will potentially alter the displayed UI and direct victims to fraudulent sites. Internal references: ATLAX-20 Severity: Medium CVSSv3 Overall Score: 6.4 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N Discovery: This vulnerability was discovered and reported internally. Resolution ========== Upgrade AOS-CX devices to the following version based on your current version: 10.05.xxxx - 10.05.0070 and above. 10.06.xxxx - 10.06.0110 and above. 10.07.xxxx - 10.07.0001 and above. Affected Aruba devices on version 10.04.xxxx will need to upgrade to 10.05.0070 to address all of the vulnerabilities. Workaround ========== For CVE-2020-25705, ICMP packets can be disabled using "service ACLs" to implement blocking rules. Contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any exploitation tools or techniques that leverage these specific vulnerabilities. Revision History ================ Revision 1 / 2021-July-13/ Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmDR9aEACgkQmP4JykWF htmoJQf/eYxm77SmrUjDucA+SYVCh4VtVdSQsEPRBvI+PjjI+YkQ0aiC/y0OLroS CMQ8S+mkCxtlautRaAgTacjYwp/zKivHD+G5Ceqsi8jvRQuynDmAx/P82CP0bJxJ tvrIbPL5tlEjq3+1/ctvsDNTMEsENP+upDCNwT5B+x5hgIHhIwsqjdattpC5vXrL lRvkqSlL/j7KY5KiwPqPJvbGPspyDsyOKqlKN9uTnKpEMPUiYPnoLk4dW9clGb9W I91MMXuq+M5NLHpz2M86fWhOWQYYTptz8+tKKOWxRZIrVgF531aZXGZNQIh2ODoZ b9APbii/yA83EQGXpfVzo+3FgrJHMA== =HkrA -----END PGP SIGNATURE-----