-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-002 CVE: CVE-2020-5953, CVE-2021-41610, CVE-2021-41840, CVE-2021-41841, CVE-2021-41839, CVE-2020-27339, CVE-2021-33626, CVE-2021-33627, CVE-2021-41838, CVE-2021-41837, CVE-2021-43323, CVE-2021-42554, CVE-2021-33625, CVE-2021-43522, CVE-2021-42113, CVE-2021-42059 Publication Date: 2022-Feb-01 Last Update: 2023-Aug-31 Status: Confirmed Severity: Low Revision: 2 Title ===== 9200 and 9000 Series Controllers and Gateways Multiple UEFI Vulnerabilities Overview ======== On February 1st, 2022, multiple vulnerabilities in the UEFI implementation of Insyde H20 BIOS have been made public. HPE Aruba Networking 9200 and 9000 Series Controllers and Gateways are affected by these vulnerabilities. Affected Products ================= HPE Aruba Networking - Aruba 9004 Gateway - Aruba 9004-LTE Series Gateway - Aruba 9012 Series Gateway - Aruba 9240 Series Gateway Affected Software Versions and Branches: - ArubaOS 10.4.x.x: 10.4.0.1 and below - ArubaOS 8.11.x.x: 8.11.1.0 and below - ArubaOS 8.10.x.x: 8.10.0.6 and below - ArubaOS 8.6.x.x: 8.6.0.21 and below The following ArubaOS and SD-WAN software branches that are End of Support are affected by these vulnerabilities and are not patched by this advisory: - ArubaOS 10.3.x.x: all - ArubaOS 8.9.x.x: all - ArubaOS 8.8.x.x: all - ArubaOS 8.7.x.x: all - ArubaOS 6.5.4.x: all - SD-WAN 8.7.0.0-2.3.0.x: all - SD-WAN 8.6.0.4-2.2.x.x: all Unaffected Products =================== - All other HPE Aruba Networks Controllers and Gateways are not affected. Details ======= Multiple vulnerabilities in Insyde H20-based UEFI firmware were discovered and privately reported. Insyde H20 UEFI firmware is used by many vendors. These vulnerabilities also affect Aruba 9200 and 9000 Series Controllers and Gateways because they utilize Insyde H20-based UEFI firmware. Exploiting these vulnerabilities requires obtaining a "foothold" on the targeted device. This means that an attacker must already have an operating system shell as the root user in order to exploit any of these vulnerabilities. Details on these vulnerabilities can be found at: https://github.com/binarly-io/Vulnerability-REsearch Resolution ========== Upgrade impacted 9200 and 9000 Series Controllers and Gateways to one of the following ArubaOS versions to resolve all the vulnerabilities described in the details section: - ArubaOS 10.4.x.x: 10.4.0.2 and above - ArubaOS 8.11.x.x: 8.11.1.1 and above - ArubaOS 8.10.x.x: 8.10.0.7 and above - ArubaOS 8.6.x.x: 8.6.0.22 and above HPE Aruba Networking does not evaluate or patch ArubaOS branches that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ The risk of exploitation is considered low because there are many pre-requisite conditions that must be in place for these vulnerabilities to be exploited. Exploitation and Public Discussion ================================== Successful exploitation of these vulnerabilities can result in an attacker executing code with the highest possible permission level available on the platform. Specifically, exploitation can lead to code execution in System Management Mode (SMM), which is more privileged than even kernel-mode code execution. HPE Aruba Networking is not aware of any public proof of concept code. Workaround and Mitigations ========================== The ArubaOS platform does not grant users root access. An attacker would have to exploit another, different vulnerability first in order to obtain the level of access necessary to exploit these vulnerabilities. To further minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking usually recommends that the CLI and web-based management interfaces for networking equipment be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. For gateways that are directly connected to the internet as in the case of the Aruba SD-WAN solution, please refer to the following document for details on hardening the WAN interface and its default policies. https://support.hpe.com/hpesc/public/docDisplay?docId=a00104476en_us Discovery ========= These vulnerabilities were discovered and reported by BINARLY efiXplorer team through US-CERT/VINCE. Revision History ================ Revision 1 / 2022-Feb-01 / Initial release Revision 2 / 2023-Aug-31 / Updated affected and resolution information Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmSob6cXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtkL3gf+KH3p18/AQctzahs5Oc5yRloz jMEbBTReLnuEn4/b+L0qHpuEUMqMHUfuoQO6FLh6xMlY8AXLANNBNUxXKrHBKyRE c/dCLjCmPe/aAagkEItILIYoS3dFu+l5iFMrE5nNHnBl9CDXuRRcOqIsi4SNeZoU G5RZw8G3tcBToLDawLjZ6iOqsDguxUUEAccmN56Xs0Tab79JcZkz2Rxt7qe7CZh3 hE3UOWxyyAdJusDgE1zDu2gzytT8AGjUSRkWZRQqg+zThlxZySVss032gdnEtAMj XH6xnygglO2885KVP8oF4xigUJ5H07ooMeXuUUtJ1wkSGKCvdiEX8qrZdHfX0Q== =G0vS -----END PGP SIGNATURE-----