-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-004 CVE: CVE-2021-41000, CVE-2021-41001, CVE-2021-41002, CVE-2021-41003, CVE-2021-3712, CVE-2002-20001, CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-12373, CVE-2017-13098, CVE-2017-1000385, CVE-2017-13099, CVE-2016-6883, CVE-2012-5081 Publication Date: 2022-Feb-22 Last Update: 2022-Apr-06 Status: Confirmed Severity: High Revision: 2 Title ===== AOS-CX Switches Multiple Vulnerabilities Overview ======== Aruba has released updates for wired switch products running AOS-CX that address multiple security vulnerabilities. Affected Products ================= These vulnerabilities affect Aruba 4100i,6100,6200,6300, 6400,8320,8325,8360, and 8400 model switches running the following version of the AOS-CX firmware: - AOS-CX 10.06.xxxx: 10.06.0170 and below - AOS-CX 10.07.xxxx: 10.07.0050 and below - AOS-CX 10.08.xxxx: 10.08.1030 and below - AOS-CX 10.09.xxxx: 10.09.0002 and below Not all vulnerabilities in this advisory affect all AOS-CX branches. If an AOS-CX branch is not listed as affected, it means that any AOS-CX version in that given branch is not affected. For example, the 10.06.xxxx branch is not affected by CVE-2021-41001 and the 10.09.xxxx branch is not affected by CVE-2021-3712. The following unsupported branches of AOS-CX software were not validated and may contain these vulnerabilities: - AOS-CX 10.05.xxxx and below Unaffected Products =================== Any other Aruba products not listed above, including Aruba Intelligent Edge Switches and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Multiple Authenticated Remote Code Execution in AOS-CX Command Line Interface (CVE-2021-41000) --------------------------------------------------------------------- Multiple vulnerabilities exist in the AOS-CX command line interface that could lead to authenticated command injection. Successful exploitation of these vulnerabilities could result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running AOS-CX. Internal references: ATLAX-27, ATLAX-28, ATLAX-38 Severity: High CVSSv3.1 Overall Score: 8.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0020 and below AOS-CX 10.08.xxxx: 10.08.0001 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0030 and above AOS-CX 10.08.xxxx: 10.08.0010 and above AOS-CX 10.09.xxxx: 10.09.0001 and above Diffie-Hellman Key Agreement Protocol Vulnerability (CVE-2002-20001) --------------------------------------------------------------------- The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. Successful exploitation of this vulnerability can lead to a denial of service on the AOS-CX switch. Internal Reference: ATLAX-51 Severity: High CVSSv3.1 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Jean-francois Raymond and Anton Stiglic. Please see the following link for more details: https://www.researchgate.net/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Authenticated Read Buffer Overruns Processing ASN.1 Strings in AOS-CX (CVE-2021-3712) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information on the AOS-CX web-based management interface. Successful exploitation allows an attacker to gain access to some data in a cleartext format possibly exposing other network infrastructure to further compromise. Internal references: ATLAX-39 Severity: High CVSSv3.1 Overall Score: 7.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H Discovery: This vulnerability was discovered and reported by Ingo Schwarze. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0001 and above Authenticated Remote Code Execution in AOS-CX Network Analytics Engine(NAE) (CVE-2021-41001) -------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the AOS-CX Network Analytics Engine via NAE scripts. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX. Internal references: ATLAX-37 Severity: High CVSSv3.1 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Multiple Unauthenticated Command Injection Vulnerabilities in AOS-CX API Interface (CVE-2021-41003) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface API of AOS-CX that could allow an unauthenticated remote attacker to conduct Cross Site Scripting(XSS) and HTML injection attacks. It would allow an attacker to execute arbitrary code in a victim's browser. Internal Reference: ATLAX-50 Severity: Medium CVSSv3.1 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by mooimacow (bugcrowd.com/mooimacow) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Return Of Bleichenbacher's Oracle Threat (CVE-2017-6168, CVE-2017-17382, CVE-2017-17427, CVE-2017-17428, CVE-2017-12373, CVE-2017-13098, CVE-2017-1000385, CVE-2017-13099, CVE-2016-6883, CVE-2012-5081) -------------------------------------------------------------------- A vulnerability exists within AOS-CX's cryptographic library that provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker may be able to recover private keys for X.509 certificates. This vulnerability is referred to as "ROBOT." Please see the following link for more details: https://robotattack.org/ Internal references: ATLAX-36 Severity: Medium CVSSv3.1 Overall Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Hanno Böck, Juraj Somorovsky, and Craig Young. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0120 and below AOS-CX 10.07.xxxx: 10.07.0009 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0130 and above AOS-CX 10.07.xxxx: 10.07.0010 and above AOS-CX 10.08.xxxx: 10.08.0001 and above Multiple Authenticated Remote Path Traversal AOS-CX Command Line Interface (CVE-2021-41002) --------------------------------------------------------------------- Multiple authenticated path traversal vulnerabilities exist in the AOS-CX command line interface. Successful exploitation of this vulnerability could result in the ability to impact the integrity of critical files on the underlying operating system. This allows an attacker to impact the availability of the AOS-CX switch and may allow for modification of sensitive data. Internal references: ATLAX-33, ATLAX-34 Severity: Medium CVSSv3.1 Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Affected Versions: AOS-CX 10.06.xxxx: 10.06.0170 and below AOS-CX 10.07.xxxx: 10.07.0050 and below AOS-CX 10.08.xxxx: 10.08.1030 and below AOS-CX 10.09.xxxx: 10.09.0002 and below Resolved Versions: AOS-CX 10.06.xxxx: 10.06.0180 and above AOS-CX 10.07.xxxx: 10.07.0061 and above AOS-CX 10.08.xxxx: 10.08.1040 and above AOS-CX 10.09.xxxx: 10.09.0010 and above Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Feb-22 / Initial release Revision 2 / 2022-Apr-06 / Updated CVSSv3.1 Overall Score Version Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmIKeYAACgkQmP4JykWF htlHIwf/Wg7bLFjwR2I8B4AW27g5ZF7+kZDANC0fDcGbIump0Vk9kYpixZFV0PC6 emZ1HG+CMnlzJC/tSiTTUZF4+aDwJlJgtX3la4Em/bZGhFZoAc0YyM4p9U8QZ+fw KUqa5OklYZ7dWqQfcJMQuRfJwAx+gBnSG6hYf5dOarAxNNWYJpDvPWzQ6YNbNOZH 5anZqEuUOMpjyWYrClqvc/l2L3Hzk4s99moKqiKVQkUd+6MLGrrj7oDAag/IEINQ TZIZp+Kfrmgzlc/C8GQNjAbwyck52iNsMYTd2WkRT6SssooKI/Ru8+5EaEbLeeq1 TEO88iGzPy+g28wrcVYaNaUdHY8i/A== =gxkM -----END PGP SIGNATURE-----