-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-016 CVE: CVE-2019-5318, CVE-2021-37716, CVE-2021-37717, CVE-2021-37718, CVE-2021-37719, CVE-2021-37720, CVE-2021-37721, CVE-2021-37722, CVE-2021-37723, CVE-2021-37724, CVE-2021-37725, CVE-2021-37728, CVE-2021-37729, CVE-2021-37731, CVE-2021-37733 Publication Date: 2021-Aug-31 Last Updated: 2021-Sep-10 Status: Confirmed Severity: Critical Revision: 2 Title ===== ArubaOS Multiple Vulnerabilities Overview ======== Aruba has released patches for ArubaOS that address multiple security vulnerabilities. Affected Products ================= Aruba Mobility Conductor (formerly Mobility Master), Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways. Affected versions: Not all vulnerabilities in this advisory affect all ArubaOS branches. If an ArubaOS branch is not listed as affected, it means that any ArubaOS version in that given branch is not affected. For example, the 6.4.x.x and 6.5.x.x branches are not affected by CVE-2021-37717. Updating a branch of ArubaOS to the version listed in the Resolution section at the end of this advisory resolve all known issues with that branch. Versions of ArubaOS and SD-WAN that are end of life should be considered to be affected by these vulnerabilities. Impacted customers should plan to migrate to a supported branch. Branches that should be considered to be vulnerable and are not patched by this advisory include: - ArubaOS 8.0.x.x - ArubaOS 8.1.x.x - ArubaOS 8.2.x.x - ArubaOS 8.4.x.x - SD-WAN 1.0.x.x - SD-WAN 2.0.x.x - SD-WAN 2.1.x.x Details ======= Buffer Overflow Vulnerabilities in the PAPI protocol (CVE-2021-37716) --------------------------------------------------------------------- There are multiple buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending especially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211) of devices running ArubaOS. This may potentially allow for denial-of-service attacks and/or remote code execution in the underlying operating system. Internal references: ATLWL-197, ATLWL-214 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Workaround: Enabling the Enhanced PAPI Security feature where available will prevent exploitation of these vulnerabilities. Please contact TAC for assistance if needed. Affected Versions: - ArubaOS 8.3.0.x: 8.3.0.14 and below - ArubaOS 8.5.0.x: 8.5.0.11 and below - ArubaOS 8.6.0.x: 8.6.0.7 and below - ArubaOS 8.7.x.x: 8.7.1.1 and below - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.3 and below Resolution: - ArubaOS 8.3.0.x: 8.3.0.15 and above - ArubaOS 8.5.0.x: 8.5.0.12 and above - ArubaOS 8.6.0.x: 8.6.0.8 and above - ArubaOS 8.7.x.x: 8.7.1.2 and above - ArubaOS 8.8.0.x: 8.8.0.0 and above - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.4 and above - SD-WAN-2.3.x.x: 8.7.0.0-2.3.0.0 and above Authenticated Remote Command Execution in ArubaOS Web-based Management User Interface (CVE-2021-37717, CVE-2021-37718) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the ArubaOS web-based management user interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. Internal references: ATLWL-118, ATLWL-210 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Jens Krabbenhoeft via Aruba's Bug Bounty Program Workaround: Block access to the ArubaOS web-based management interface from all untrusted users. Affected Versions: - ArubaOS 8.3.0.x: 8.3.0.15 and below - ArubaOS 8.5.0.x: 8.5.0.11 and below - ArubaOS 8.6.0.x: 8.6.0.6 and below - ArubaOS 8.7.x.x: 8.7.1.3 and below - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.5 and below Resolved Versions: - ArubaOS 8.3.0.x: 8.3.0.16 and above - ArubaOS 8.5.0.x: 8.5.0.12 and above - ArubaOS 8.6.0.x: 8.6.0.7 and above - ArubaOS 8.7.x.x: 8.7.1.4 and above - ArubaOS 8.8.0.x: 8.8.0.0 and above - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.6 and above - SD-WAN-2.3.x.x: 8.7.0.0-2.3.0.0 and above Authenticated Remote Command Execution in ArubaOS Command Line Interface (CVE-2021-37719, CVE-2021-37720, CVE-2021-37721, CVE-2021-37722) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. Internal references: ATLWL-90, ATLWL-100, ATLWL-142, ATLWL-165, ATLWL-166, ATLWL-195, ATLWL-200, ATLWL-201, ATLWL-205 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program and by Mike Cantonwine of Aruba Threat Labs. Workaround: Block access to the ArubaOS Command Line Interface from all untrusted users. Affected Versions: - ArubaOS 6.4.4.x: 6.4.4.24 and below - ArubaOS 6.5.4.x: 6.5.4.19 and below - ArubaOS 8.3.0.x: 8.3.0.15 and below - ArubaOS 8.5.0.x: 8.5.0.12 and below - ArubaOS 8.6.0.x: 8.6.0.8 and below - ArubaOS 8.7.x.x: 8.7.1.3 and below - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.3 and below Resolved Versions: - ArubaOS 6.4.4.x: 6.4.4.25 and above - ArubaOS 6.5.4.x: 6.5.4.20 and above - ArubaOS 8.3.0.x: 8.3.0.16 and above - ArubaOS 8.5.0.x: 8.5.0.13 and above - ArubaOS 8.6.0.x: 8.6.0.9 and above - ArubaOS 8.7.x.x: 8.7.1.4 and above - ArubaOS 8.8.0.x: 8.8.0.0 and above - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.4 and above - SD-WAN-2.3.x.x: 8.7.0.0-2.3.0.0 and above Authenticated Remote Command Execution in Mobility Conductor ArubaOS Command Line Interface (CVE-2021-37723, CVE-2021-37724) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. These particular vulnerabilities are only present in instances of the Mobility Conductor. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the Mobility Conductor running ArubaOS. Internal references: ATLWL-171, ATLWL-172, ATLWL-173, ATLWL-180, ATLWL-181 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Workaround: Block access to the Mobility Conductor Command Line Interface from all untrusted users. Affected Versions: - ArubaOS 8.3.0.x: 8.3.0.15 and below - ArubaOS 8.5.0.x: 8.5.0.11 and below - ArubaOS 8.6.0.x: 8.6.0.7 and below - ArubaOS 8.7.x.x: 8.7.1.1 and below Resolved Versions: - ArubaOS 8.3.0.x: 8.3.0.16 and above - ArubaOS 8.5.0.x: 8.5.0.12 and above - ArubaOS 8.6.0.x: 8.6.0.8 and above - ArubaOS 8.7.x.x: 8.7.1.2 and above - ArubaOS 8.8.0.x: 8.8.0.0 and above ArubaOS Cross-Site Request Forgery in ArubaOS Web-based Management User Interface Resulting in File Removal (CVE-2021-37725) --------------------------------------------------------------------- A vulnerability in the web-based management interface of ArubaOS could allow an unauthenticated remote attacker to conduct a Cross-Site Request Forgery (CSRF) attack against a vulnerable system. A successful exploit would consist of an attacker persuading an authorized user to follow a malicious link, resulting in the deletion of arbitrary files with the privilege level of the targeted user. Internal references: ATLWL-18 Severity: Medium CVSSv3 Overall Score: 7.1 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N Discovery: These vulnerabilities were discovered and reported by S4thi5h (bugcrowd.com/S4thi5h) via Aruba's Bug Bounty Program Workaround: None. Affected Versions: - ArubaOS 8.3.0.x: 8.3.0.14 and below - ArubaOS 8.5.0.x: 8.5.0.11 and below - ArubaOS 8.6.0.x: 8.6.0.7 and below - ArubaOS 8.7.x.x: 8.7.1.1 and below - ArubaOS 8.8.0.x: 8.8.0.0 - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.3 and below Resolved Versions: - ArubaOS 8.3.0.x: 8.3.0.15 and above - ArubaOS 8.5.0.x: 8.5.0.12 and above - ArubaOS 8.6.0.x: 8.6.0.8 and above - ArubaOS 8.7.x.x: 8.7.1.2 and above - ArubaOS 8.8.0.x: 8.8.0.1 and above - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.4 and above - SD-WAN-2.3.x.x: 8.7.0.0-2.3.0.0 and above Lack of CSRF Protections in RAPConsole (CVE-2019-5318) - - --------------------------------------------------------------------- The web interface for RAPConsole lacks Anti-CSRF protections in place for state-changing operations. This can potentially be exploited by an attacker to reboot the affected device if the attacker can convince a user to visit a specially-crafted web page. Internal references: ATLWL-175 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Robert Vinson Workaround: The RAPConsole or Local Debug homepage can be reached by users in a split or bridge role. This can be prevented by configuring an ACL to restrict access to the Local Debug (LD) homepage which effectively prevents this issue. Instructions on how to implement this ACL can be found at https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Co ntent/arubaos-solutions/rap/rest-local-deb.htm For further assistance please contact TAC. Affected Versions: - ArubaOS 6.x.x.x: all versions - ArubaOS 8.x.x.x: all versions prior to 8.8.0.0 Resolution: - ArubaOS 8.8.0.x: 8.8.0.0 and above Authenticated Remote Path Traversal leading to Denial of Service in ArubaOS Command Line Interface (CVE-2021-37728) --------------------------------------------------------------------- Authenticated path traversal vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to impact the integrity of critical files on the underlying operating system. This allows an attacker to impact the availability of the ArubaOS instance and may allow for modification of sensitive data. Internal references: ATLWL-208, ATLWL-209 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Workaround: Block access to the ArubaOS Command Line Interface from all untrusted users. Affected Versions: - ArubaOS 8.5.0.x: 8.5.0.12 and below - ArubaOS 8.6.0.x: 8.6.0.10 and below - ArubaOS 8.7.x.x: 8.7.1.3 and below - ArubaOS 8.8.0.x: 8.8.0.0 and below Resolved Versions: - ArubaOS 8.5.0.x: 8.5.0.13 and above - ArubaOS 8.6.0.x: 8.6.0.11 and above - ArubaOS 8.7.x.x: 8.7.1.4 and above - ArubaOS 8.8.0.x: 8.8.0.1 and above Authenticated Remote Path Traversal leading to Denial of Service in ArubaOS Web-based Management User Interface (CVE-2021-37729) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to impact the integrity of critical files on the underlying operating system. This allows an attacker to impact the availability of the ArubaOS instance and may allow for modification of sensitive data. Internal references: ATLWL-178 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Workaround: Block access to the ArubaOS web-based management interface from all untrusted users. Affected Versions: - ArubaOS 6.4.4.x: 6.4.4.24 and below - ArubaOS 6.5.4.x: 6.5.4.18 and below - ArubaOS 8.3.0.x: 8.3.0.15 and below - ArubaOS 8.5.0.x: 8.5.0.11 and below - ArubaOS 8.6.0.x: 8.6.0.8 and below - ArubaOS 8.7.x.x: 8.7.1.2 and below - SD-WAN 2.2.x.x: 8.6.0.0-2.2.0.3 and below Resolved Versions: - ArubaOS 6.4.4.x: 6.4.4.25 and above - ArubaOS 6.5.4.x: 6.5.4.19 and above - ArubaOS 8.3.0.x: 8.3.0.16 and above - ArubaOS 8.5.0.x: 8.5.0.12 and above - ArubaOS 8.6.0.x: 8.6.0.9 and above - ArubaOS 8.7.x.x: 8.7.1.3 and above - ArubaOS 8.8.0.x: 8.8.0.0 and above - SD-WAN 2.2.x.x: 8.6.0.0-2.2.0.4 and above - SD-WAN-2.3.x.x: 8.7.0.0-2.3.0.0 and above Authenticated Local Path Traversal Leading to Arbitrary File Read and Write in ArubaOS Web-based Management User Interface and ArubaOS Command Line Interface (CVE-2021-37731) --------------------------------------------------------------------- An authenticated local path traversal vulnerability exists in the ArubaOS web-based management interface and CLI. This vulnerability only affects physical hardware controllers such as the 9000 series and 7x00 series. Successful exploitation of this vulnerability requires physical access to the controller and results in the ability to impact the integrity and confidentiality of critical files on the underlying operating system. This allows an attacker to impact the availability of the ArubaOS instance and may allow for modification or disclosure of sensitive data. Internal references: ATLWL-182 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Workaround: Exploitation requires physical access. Controllers in strictly controlled physical environments are at low risk. Affected Versions: - ArubaOS 8.3.0.x: 8.3.0.15 and below - ArubaOS 8.5.0.x: 8.5.0.11 and below - ArubaOS 8.6.0.x: 8.6.0.6 and below - ArubaOS 8.7.x.x: 8.7.1.0 and below - SD-WAN 2.2.x.x: 8.6.0.0-2.2.0.3 and below Resolved Versions: - ArubaOS 8.3.0.x: 8.3.0.16 and above - ArubaOS 8.5.0.x: 8.5.0.12 and above - ArubaOS 8.6.0.x: 8.6.0.7 and above - ArubaOS 8.7.x.x: 8.7.1.1 and above - ArubaOS 8.8.0.x: 8.8.0.0 and above - SD-WAN 2.2.x.x: 8.6.0.0-2.2.0.4 and above - SD-WAN 2.3.x.x: 8.7.0.0-2.3.0.0 and above Authenticated Remote Path Traversal in ArubaOS Command Line Interface Allows for Arbitrary File Read (CVE-2021-37733) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files. Internal references: ATLWL-179 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Workaround: Block access to the ArubaOS Command Line Interface from all untrusted users. Affected Versions: - ArubaOS 8.3.0.x: 8.3.0.15 and below - ArubaOS 8.5.0.x: 8.5.0.10 and below - ArubaOS 8.6.0.x: 8.6.0.6 and below - ArubaOS 8.7.x.x: 8.7.1.0 and below - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.3 and below Resolved Versions: - ArubaOS 8.3.0.x: 8.3.0.16 and above - ArubaOS 8.5.0.x: 8.5.0.11 and above - ArubaOS 8.6.0.x: 8.6.0.7 and above - ArubaOS 8.7.x.x: 8.7.1.1 and above - ArubaOS 8.8.0.x: 8.8.0.0 and above - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.4 and above - SD-WAN-2.3.x.x: 8.7.0.0-2.3.0.0 and above Resolution ========== In order to address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions (where applicable): - ArubaOS 6.4.x.x: 6.4.4.25 and above - ArubaOS 6.5.x.x: 6.5.4.20 and above - ArubaOS 8.3.x.x: 8.3.0.16 and above - ArubaOS 8.5.x.x: 8.5.0.13 and above - ArubaOS 8.6.x.x: 8.6.0.11 and above - ArubaOS 8.7.x.x: 8.7.1.4 and above - ArubaOS 8.8.x.x: 8.8.0.1 and above - SD-WAN-2.2.x.x: 8.6.0.4-2.2.0.6 and above - SD-WAN-2.3.x.x: 8.7.0.0-2.3.0.0 and above As a general rule, we do not evaluate or patch ArubaOS branches that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== In order to minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the communication between Controller/Gateways and Access-Points be restricted either by having a dedicated layer 2 segment/VLAN or, if Controller/Gateways and Access-Points cross layer 3 boundaries, to have firewall policies restricting the communication of these authorized devices. Also, enabling the Enhanced PAPI Security feature will prevent the PAPI-specific vulnerabilities above from being exploited. Contact Aruba Support for configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities Revision History ================ Revision 1 / 2021-Aug-31 / Initial release Revision 2 / 2021-Sep-10 / Typo correction in top CVE block Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmE6HsEXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtme/wf9H2wMGasmvVGUWKKXTyXGCoxM f2GOHwR8iwp1gQUxwfMX/sbbbZm70snsLwZE22N53oolZLZWE3jb8X+NZAzO36KG yQdrY+MdSiV3AhkNbCYQaWPbGp6IKArtfAxwwklsGrnpjPz+cHDAQzGoaJ4tjqtJ +eTWmfKPW+QJeXywD9LRlYiOv5NkwAVad6QFB6wBjPKPX7GrBx49LafgIaRCKmIT syKLPS0zjPMUoWeQgLfiE/taMq0nvZT1KF2K0pChjrGJusxQOuIOzS8S62CkJzT/ vKr2pCdNGT8y6ozrg84N7C8DxuXr3oxtSN5JNvaZAlktMeNswa2YyeIuRZ1iZw== =bR/y -----END PGP SIGNATURE-----