-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-017 CVE: CVE-2021-37726, CVE-2021-37727, CVE-2021-37730 CVE-2021-37732, CVE-2021-37734, CVE-2021-37735 Publication Date: 2021-Oct-05 Status: Confirmed Severity: Critical Revision: 1 Title ===== Aruba Instant (IAP) Multiple Vulnerabilities Overview ======== Aruba has released patches for Aruba Instant that address multiple security vulnerabilities. Affected Products ================= Aruba Instant Access Points Affected versions: Not all vulnerabilities in this advisory affect all Aruba Instant branches. If an Aruba Instant branch is not listed as affected, it means that any Aruba Instant version in that given branch is not affected. For example, the 6.4.x.x and 6.5.x.x branches are not affected by CVE-2021-37734. Versions of Aruba Instant that are end of life should be considered to be affected. Impacted customers should plan to upgrade to a supported branch. Branches that should be considered to be vulnerable and are not patched under this advisory include: - Aruba Instant 8.3.x.x - Aruba Instant 8.4.x.x Unaffected Products =================== Aruba Mobility Conductor (formerly Mobility Master), Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways are not affected by these vulnerabilities. Aruba Instant On is also not affected by these vulnerabilities. Details ======= Buffer Overflow Vulnerability in the PAPI protocol (CVE-2021-37726) --------------------------------------------------------------------- There is a buffer overflow vulnerability that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal references: ATLWL-147 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workarounds: Block access to the Aruba Instant device IP address on port UDP/8211 from all untrusted users. Also, enabling the Enhanced PAPI Security feature will prevent the vulnerabilities from being exploited. Affected Versions: - Aruba Instant 8.7.x.x: 8.7.0.0 through 8.7.1.2 Resolved Versions: - Aruba Instant 8.7.x.x: 8.7.1.3 and above - Aruba Instant 8.8.x.x: 8.8.0.0 and above - Aruba Instant 8.9.x.x: 8.9.0.0 and above Note: This did not affect versions of Aruba Instant prior to 8.7.0.0 Authenticated Remote Command Execution in Aruba Instant Command Line Interface (CVE-2021-37727, CVE-2021-37730) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the Aruba Instant command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system running on the Aruba Instant Access Point. Internal references: ATLWL-123, ATLWL-134, ATLWL-146 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Workaround: Block access to the Aruba Instant Command Line Interface from all untrusted users. Affected Versions: - Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.18 and below - Aruba Instant 6.5.x.x: 6.5.4.20 and below - Aruba Instant 8.5.x.x: 8.5.0.12 and below - Aruba Instant 8.6.x.x: 8.6.0.11 and below - Aruba Instant 8.7.x.x: 8.7.1.3 and below Resolved Versions: - Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.19 and above - Aruba Instant 6.5.x.x: 6.5.4.21 and above - Aruba Instant 8.5.x.x: 8.5.0.13 and above - Aruba Instant 8.6.x.x: 8.6.0.12 and above - Aruba Instant 8.7.x.x: 8.7.1.4 and above - Aruba Instant 8.8.x.x: 8.8.0.0 and above - Aruba Instant 8.9.x.x: 8.9.0.0 and above Authenticated Remote Command Execution in Aruba Instant Web-based Management User Interface (CVE-2021-37732) --------------------------------------------------------------------- An authenticated command injection vulnerability exists in the Aruba Instant web-based management user interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system running on the Aruba Instant Access Point. Internal references: ATLWL-169 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Workaround: Block access to the Aruba Instant web-based management interface from all untrusted users. Affected Versions: - Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x.x: 6.5.4.18 and below - Aruba Instant 8.5.x.x: 8.5.0.11 and below - Aruba Instant 8.6.x.x: 8.6.0.6 and below - Aruba Instant 8.7.x.x: 8.7.1.0 and below Resolved Versions: - Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.18 and above - Aruba Instant 6.5.x.x: 6.5.4.19 and above - Aruba Instant 8.5.x.x: 8.5.0.12 and above - Aruba Instant 8.6.x.x: 8.6.0.7 and above - Aruba Instant 8.7.x.x: 8.7.1.1 and above - Aruba Instant 8.8.x.x: 8.8.0.0 and above - Aruba Instant 8.9.x.x: 8.9.0.0 and above Authenticated Arbitrary File Read in Aruba Instant Command Line Interface (CVE-2021-37734) --------------------------------------------------------------------- An Authenticated Arbitrary File Read vulnerability exists in affected Aruba Instant Access Points. Successful exploitation of this vulnerability results in an attacker being able to read any file off the underlying filesystem, including sensitive system files. Internal reference: ATLWL-222 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Workaround: Block access to the Aruba Instant Command Line Interface from all untrusted users. Affected Versions: - Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.18 and below - Aruba Instant 6.5.x.x: 6.5.4.19 and below - Aruba Instant 8.5.x.x: 8.5.0.12 and below - Aruba Instant 8.6.x.x: 8.6.0.11 and below - Aruba Instant 8.7.x.x: 8.7.1.3 and below - Aruba Instant 8.8.x.x: 8.8.0.0 and below Resolved Versions: - Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.19 and above - Aruba Instant 6.5.x.x: 6.5.4.20 and above - Aruba Instant 8.5.x.x: 8.5.0.13 and above - Aruba Instant 8.6.x.x: 8.6.0.12 and above - Aruba Instant 8.7.x.x: 8.7.1.4 and above - Aruba Instant 8.8.x.x: 8.8.0.1 and above - Aruba Instant 8.9.x.x: 8.9.0.0 and above Authenticated String Format Vulnerabilities Leading to Denial of Service in Aruba Instant Command Line Interface (CVE-2021-37735) --------------------------------------------------------------------- Multiple string format vulnerabilities exist in the Aruba Instant command line interface. Triggering of these vulnerabilities has been shown in some instances to lead to a denial-of-service condition on the affected access point, resulting in temporary loss of service. Internal reference: ATLWL-170 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Nicholas Starke of Aruba Threat Labs Workaround: Block access to the Aruba Instant command line interface from all untrusted users. Affected Versions: - Aruba Instant 6.5.x.x: 6.5.4.18 and below - Aruba Instant 8.5.x.x: 8.5.0.10 and below - Aruba Instant 8.6.x.x: 8.6.0.4 and below Resolved Versions: - Aruba Instant 6.5.x.x: 6.5.4.19 and above - Aruba Instant 8.5.x.x: 8.5.0.11 and above - Aruba Instant 8.6.x.x: 8.6.0.5 and above - Aruba Instant 8.7.x.x: 8.7.0.0 and above - Aruba Instant 8.8.x.x: 8.8.0.0 and above - Aruba Instant 8.9.x.x: 8.9.0.0 and above Resolution ========== In order to address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions (where applicable): - Aruba Instant 6.4.x.x: 6.4.4.8-4.2.4.19 and above - Aruba Instant 6.5.x.x: 6.5.4.21 and above - Aruba Instant 8.5.x.x: 8.5.0.13 and above - Aruba Instant 8.6.x.x: 8.6.0.12 and above - Aruba Instant 8.7.x.x: 8.7.1.4 and above - Aruba Instant 8.8.x.x: 8.8.0.1 and above - Aruba Instant 8.9.x.x: 8.9.0.0 and above As a general rule, we do not evaluate or patch Aruba Instant software branches that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== Workarounds are listed per vulnerability above. Contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the publication of this advisory. Revision History ================ Revision 1 / 2021-Oct-05 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmFWD+0XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtlYpAf9Hy0Xt9htOW/3RqLEwQqqH+t4 sN0mtfq7dALaDeJoKnVVNugPnuXC4/tdeM8ONV/Cj/bJFQ+Ri1x/tpGs5Wo3Jr1Z vWC2fDBMbuPPwWqyxjgVissJZaYyk7AsexPN/rAK/fsLnzi6Tj6pM5nWddJzHkal rwoOAOcE9kd4FPC7FJGd6yR7+j1eSy0OIPZuhQom4KZOw3LkT1986LlW7/9uPTAQ JvbxCLatGDtMNymjT35VTIHyrVNMnmoRJeMCDSpBBtSy4OIlSkU4knDwTyIO+cyr pQQ3qEQeKngBhXNJtnB8fHb8tWt3hqRvK+KaM5asrCiXv4LqwUdkRxLnSAA+kw== =Et+M -----END PGP SIGNATURE-----