-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2022-001
CVE: CVE-2020-5953,  CVE-2021-41610, CVE-2021-41840, 
     CVE-2021-41841, CVE-2021-41839, CVE-2020-27339, 
     CVE-2021-33626, CVE-2021-33627, CVE-2021-41838, 
     CVE-2021-41837, CVE-2021-43323, CVE-2021-42554, 
     CVE-2021-33625, CVE-2021-43522, CVE-2021-42113, 
     CVE-2021-42059
Publication Date: 2022-Feb-01
Last Update: 2023-Jul-18
Status: Confirmed
Severity: Low
Revision: 2


Title
=====
Aruba CX 8000 Series Switches Multiple UEFI Vulnerabilities


Overview
========
On February 1st, 2022, multiple vulnerabilities in the UEFI
implementation of Insyde H20 BIOS have been made public.
Aruba CX 8000 series switches are affected by these
vulnerabilities.


Affected Products
=================
HPE Aruba Networking

Aruba Switch Models:
  - Aruba CX 8400 Switch Series (including line cards)
  - Aruba CX 8325 Switch Series
  - Aruba CX 8320 Switch Series

Software Branch Versions:
  - AOS-CX 10.10.xxxx: 10.10.0002 and below.
  - AOS-CX 10.06.xxxx: 10.06.0200 and below.

All other AOS-CX software versions that are not listed under the
resolution section are unsupported and considered to be affected.

Software branch versions of AOS-CX that are end of life are
affected by this vulnerability unless otherwise indicated.


Unaffected Products
===================
  - All other HPE Aruba Networking Switches, including other
    models of Aruba CX switches are not affected. This includes the
    Aruba CX 10000 switches and the Aruba CX 8360 switches.


Details
=======
Multiple vulnerabilities in Insyde H20-based UEFI firmware were  
discovered and privately reported. Insyde H20 UEFI firmware      
is used by many vendors. These vulnerabilities also affect       
ArubaOS-CX 8000 series products because they utilize Insyde      
H20-based UEFI firmware.                                         

Exploiting these vulnerabilities requires obtaining a "foothold"
on the targeted device. This means that an attacker must already
have an operating system shell as the root user in order to
exploit any of these vulnerabilities.

Details on these vulnerabilities can be found at:
https://github.com/binarly-io/Vulnerability-REsearch


Resolution
==========
To address the vulnerabilities in the affected software branches
and switch platforms described above, it is recommended to
upgrade the software to one of the following versions (as
applicable):
  - AOS-CX 10.12.xxxx: 10.12.0006 and above.
  - AOS-CX 10.11.xxxx: 10.11.0001 and above.
  - AOS-CX 10.10.xxxx: 10.10.1000 and above.
  - AOS-CX 10.06.xxxx: 10.06.0210 and above.

HPE Aruba Networking does not evaluate or patch AOS-CX firmware
versions that have reached their End of Support (EoS) milestone.

Supported versions as of the publication date of this advisory
are:
  - AOS-CX 10.12.xxxx
  - AOS-CX 10.11.xxxx
  - AOS-CX 10.10.xxxx
  - AOS-CX 10.06.xxxx

For more information about Aruba's End of Support policy visit:
https://www.arubanetworks.com/support-services/end-of-life/

The risk of exploitation is considered low because there are
many pre-requisite conditions that must be in place for these
vulnerabilities to be exploited.

Customers should be aware that there is inherent risk in
upgrading the BIOS of ArubaOS-CX switches. If the switch is
power-cycled for any reason during update, the only option is to
RMA the switch.


Exploitation and Public Discussion
==================================
Successful exploitation of these vulnerabilities can result in
an attacker executing code with the highest possible permission
level available on the platform. Specifically, exploitation can
lead to code execution in System Management Mode (SMM), which is
more privileged than even kernel-mode code execution. HPE Aruba
Networking is not aware of any public proof of concept code.


Workaround and Mitigations
==========================
"Enhanced Secure Mode" can be enabled on the ArubaOS-CX switch
to prevent shell access via the command line interface (CLI).
With this enabled, an attacker would have to exploit another,
different vulnerability first in order to obtain the level of
access necessary to exploit these vulnerabilities. To enable
"Enhanced Secure Mode", run "secure-mode enhanced" from the
"SVOS" prompt, which is accessible from the console before the
primary operating system is loaded. If technical assistance is
needed, please contact HPE Services - Aruba Networking TAC

Another method to limit shell access would be to use an external
TACACS+ authorization server and deny access to the start-shell
command to all users except those who specifically require it.
For further information on using TACACS+ to implement command
authorization, refer to the documentation for your preferred
TACACS+ software platform.

To further minimize the likelihood of an attacker exploiting
these vulnerabilities, HPE Aruba Networking recommends that the
CLI and web-based management interfaces for ArubaOS-CX 8000
series switches be restricted to a dedicated layer 2 segment/VLAN
and/or controlled by firewall policies at layer 3 and above.

These mitigation options are available in all current versions
of ArubaOS-CX. Upgrading is not necessary to implement these
mitigations.


Discovery
=========
These vulnerabilities were discovered and reported by BINARLY efiXplorer team
through US-CERT/VINCE.


Revision History
================
Revision 1 / 2022-Feb-01 / Initial release
Revision 2 / 2023-Jul-18 / Updated affected and resolution information


Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in HPE
Aruba Networking products and obtaining assistance with security
incidents is available at:

https://www.arubanetworks.com/support-services/security-bulletins/

For reporting *NEW* HPE Aruba Networking security issues, email
can be sent to aruba-sirt(at)hpe.com. For sensitive information
we encourage the use of PGP encryption. Our public keys can be
found at:

https://www.arubanetworks.com/support-services/security-bulletins/

(c) Copyright 2023 by Hewlett Packard Enterprise Development LP.
This advisory may be redistributed freely after the release date
given at the top of the text, provided that the redistributed
copies are complete and unmodified, including all data and
version information.
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmSoV+wXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtkAKwf/cruyG7dZINkQv3Ypg0R4fBqr
UWveOqVJXqV06eV5E64Fs/4OfLXupoAcDR9oFOiqPCCxG48GeTzZjqybG0iyFRTh
Dhgym3JWGEvyT3E483soPVi3EHVc0qv01a31/L3ndZErtZRN56LSBRttaKvD9zEk
59i5x5HprqAhywGNy8ppf/lrLgCOfDmQVLiIo4mlVt2NaBqFIHX6AO+MitwEsWLC
vLDM30+EdGgiV3ohJWhZ0DQCM8pLZ9kN5xP1GvxJ0zoqWWvX2WBJdUZOnVh9lqSi
M0qcH6NepMhO1yvvgsXtWoSPi5daym2dxojen7Lef0gfxNgZkAtwxLlCBEjGpw==
=PBQP
-----END PGP SIGNATURE-----