-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-003 CVE: CVE-2021-4034 Publication Date: 2022-Feb-01 Last Update: 2022-Mar-03 Status: Confirmed Severity: Medium Revision: 3 Title ===== Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Overview ======== The Qualys Research Team has discovered a memory corruption vulnerability in polkit's pkexec, a SUID-root program installed in many major Linux distributions. Exploitation of this vulnerability allows for any unprivileged local user to gain full root privileges on the affected host. More information about this vulnerability can be found at https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 Affected Products ================= -- Aruba Analytics and Location Engine: -- ALE 2.2.0.x: 2.2.0.1 and below -- Aruba Central On Prem (COP) -- Central On Prem 2.5.x.x: 2.5.4.2 and below -- Aruba ClearPass Policy Manager: -- CPPM 6.10.x: 6.10.3 and below -- CPPM 6.9.x: 6.9.9 and below -- CPPM 6.8.x: 6.8.9-HF1 and below -- CPPM 6.7.x: All versions 6.7.x and below -- Silver Peak Orchestrator: For details visit https://www.arubanetworks.com/website/techdocs/sdwan/docs/advisories/ Unaffected Products =================== -- AirWave Management Platform -- Aruba Instant / Aruba Instant Access Points -- ArubaOS Wi-Fi Controllers and Gateways -- ArubaOS SD-WAN Gateways -- ArubaOS-CX Switches -- ArubaOS-S Switches -- HP ProCurve Switches -- Aruba Instant On -- Aruba IntroSpect -- Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) -- Aruba NetEdit -- Aruba User Experience Insight (UXI) -- Aruba VIA Client -- Silver Peak EdgeConnect Other Aruba products not listed above are also not known to be affected by the vulnerability. Details ======= A vulnerability in a commonly installed operating system component has been identified in some Aruba products. This allows for a lower privileged local user with the ability to run arbitrary shell commands to escalate to root privilege on the underlying operating system. Affected products do not allow users to have local access to an unrestricted underlying operating system command shell during normal operation. Because of this, exploitation of this flaw in Aruba products would occur as part of an attack chain involving another security vulnerability and would not be easily exploitable during regular operation of the product. Resolution ========== Aruba is currently working on fixes for all affected products. Patch details will be published in this section. -- Aruba Analytics and Location Engine (ALE): -- ALE 2.2.0.x: 2.2.0.2 and above -- Aruba Central On Prem (COP) -- Central On Prem 2.5.x.x: 2.5.4.3 and above -- Aruba ClearPass Policy Manager: -- CPPM 6.10.x: 6.10.3-HF1 or 6.10.4 and above -- CPPM 6.9.x: 6.9.9-HF1 or 6.9.10 and above -- CPPM 6.8.x: 6.8.9-HF2 and above Workaround and Mitigations ========================== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment or VLAN and/or controlled by firewall policies at layer 3 and above. Exploitation and Public Discussion ================================== Details about the vulnerability were published at https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034 Discovery ========= This vulnerability was discovered by the Qualys Research Team Revision History ================ Revision 1 / 2022-Feb-01/ Initial release Revision 2 / 2022-Feb-23/ Affected products and resolution updated with ClearPass and ALE details Revision 3 / 2022-Mar-03 Affected products and resolution updated with CoP. Corrected EdgeConnect branding Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmIdEFcXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtkb0wf/fi+gQv6MC2yFdYidxMayFfId 9kw/bIYSAwXx2YcE/EwPsewK+k8fr52Pc5i8FYsluoGLJM2vC3WDEL3+m1Tn9Pch Mxn6yEABT01xXmyEqyf4lkGkfDN3K9EdcN+57UC1k5utlwBtTy217l9c1BVjBBTI XPTenYJZdHCsGP2pFfuAbGUtMV45hCZCGmNnETpbzi/zAu/o/J2/DM/LdydegvlT dXJlFXy4nqaZGr1sYSUYHYzyVjM/X4gZMn03Jei6/BPEEvyEMj4noVuat+1Cl+yF siZjaRWPYPckITqynSUJyzt+l1RmkHv7lSznZKBP2UTu/sUT2vrIJftomuVg3A== =GI1m -----END PGP SIGNATURE-----