-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-008 CVE: CVE-2022-23676, CVE-2022-23677 Publication Date: 2022-May-03 Last Update: 2022-Jun-21 Status: Confirmed Severity: Critical Revision: 3 Title ===== Heap Overflow Vulnerabilities Within AOS-S Devices Overview ======== The Armis Research Team has discovered multiple heap overflow vulnerabilities with various networking vendors. AOS-S devices are affected by these vulnerabilities in the affected versions. Exploitation of these vulnerabilities allow for attackers to execute arbitrary code on the affected device. More information about these vulnerabilities can be found at: https://www.armis.com/research/tlstorm/ Affected Products ================= Customers using the following switch models and firmware versions are affected by the vulnerabilities listed in this advisory. Aruba Switch Models: - Aruba 2530 Series Switches - Aruba 2540 Series Switches - Aruba 2615 Series Switches - Aruba 2620 Series Switches - Aruba 2915 Series Switches - Aruba 2920 Series Switches - Aruba 2930F Series Switches - Aruba 2930M Series Switches - Aruba 3800 Series Switches - Aruba 3810 Series Switches - Aruba 5400 Series Switches - Aruba 5400R Series Switches Software branch versions: - AOS-S 15.xx.xxxx: A.15.16.0023 and below. - AOS-S 16.01.xxxx: All versions. - AOS-S 16.02.xxxx: K.16.02.0034 and below. - AOS-S 16.03.xxxx: All versions. - AOS-S 16.04.xxxx: KA/RA.16.04.0024 and below. - AOS-S 16.05.xxxx: All versions. - AOS-S 16.06.xxxx: All versions. - AOS-S 16.07.xxxx: All versions. - AOS-S 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0024 and below. - AOS-S 16.09.xxxx: KB/WB/WC/YA/YB/YC.16.09.0019 and below. - AOS-S 16.10.xxxx: KB/WB/WC/YA/YB/YC.16.10.0019 and below. - AOS-S 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0003 and below. Unaffected Products =================== Any other Aruba products not listed above, including other models of AOS-S Switches, AOS-CX Switches, Aruba Intelligent Edge Switches and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Heap Overflow Vulnerabilities in RADIUS EAP Messages (CVE-2022-23676) ==================================================== Multiple heap overflow vulnerabilities have been discovered in the AOS-S firmware. Successful exploitation of these vulnerabilities could result in the ability to execute arbitrary code. Exploitation of these vulnerabilities requires an attacker-controlled RADIUS server capable of sending access challenge messages to an affected switch. Because of this, exploitation of these vulnerabilities would most likely occur as part of an attack chain building upon previous exploitation of customer controlled infrastructure. Only AOS-S devices that are configured to use RADIUS are affected by these vulnerabilities. Internal reference: APVOS-14 Severity: Critical CVSSv3.1 Overall Score: 9.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Resolution: - AOS-S 15.16.xxxx: A.15.16.0024 and above. - AOS-S 16.02.xxxx: K.16.02.0035 and above. - AOS-S 16.04.xxxx: KA/RA.16.04.0025 and above. - AOS-S 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0025 and above. - AOS-S 16.09.xxxx: KB/WB/WC/YA/YB/YC.16.09.0020 and above. - AOS-S 16.10.xxxx: KB/WB/WC/YA/YB/YC.16.10.0020 and above. - AOS-S 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0004 and above. Heap Overflow Vulnerabilities in Mocana Cryptographic Library (CVE-2022-23677) ============================================================= Multiple heap overflow vulnerabilities related to the Mocana cryptographic library have been discovered in the AOS-S firmware. Some of these vulnerabilities also affect the Web-Based Management Interface and the captive portal of the affected devices. Successful exploitation of these vulnerabilities could result in the ability to execute arbitrary code. Internal Reference: APVOS-15 Severity: Critical CVSSv3.1 Overall Score: 9.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Resolution: - AOS-S 15.16.xxxx: A.15.16.0024 and above. - AOS-S 16.02.xxxx: K.16.02.0035 and above. - AOS-S 16.04.xxxx: KA/RA.16.04.0025 and above. - AOS-S 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0026 and above. - AOS-S 16.09.xxxx: KB/WB/WC/YA/YB/YC.16.09.0021 and above. - AOS-S 16.10.xxxx: KB/WB/WC/YA/YB/YC.16.10.0021 and above. - AOS-S 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0005 and above. Resolution ========== The vulnerabilities contained in this advisory can be addressed by patching or upgrading to one of the AOS-S firmware versions listed below: - AOS-S 15.16.xxxx: A.15.16.0024 and above. - AOS-S 16.02.xxxx: K.16.02.0035 and above. - AOS-S 16.04.xxxx: KA/RA.16.04.0025 and above. - AOS-S 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0026 and above. - AOS-S 16.09.xxxx: KB/WB/WC/YA/YB/YC.16.09.0021 and above. - AOS-S 16.10.xxxx: KB/WB/WC/YA/YB/YC.16.10.0021 and above. - AOS-S 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0005 and above. Workarounds =========== For CVE-2022-23676, Aruba recommends implementing firewall controls to limit interactions of impacted switches with known good RADIUS sources. For CVE-2022-23677, Aruba recommends that the web-based management interfaces for switches to be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Alternatively, users can disable the web-based management interface. Customers who enabled captive portal on affected switches are also exposed to this issue. Until final patches are issued, Aruba recommends that the captive portal URL accessed by affected switches be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above that only allows HTTP traffic from approved clients. AOS-S Hardening Guide ===================== For general information on hardening AOS-S devices against security threats please see the AOS-S Hardening Guide available: at https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us Exploitation and Public Discussion ================================== This Aruba Product Security Advisory is part of a coordinated disclosure with the Armis Research team and the details of the vulnerabilities can be found here: https://www.armis.com/research/tlstorm/ Discovery ========= These vulnerabilities were discovered and disclosed by Noam Afuta from Armis Research. Revision History ================ Revision 1 / 2022-May-03 / Initial release Revision 2 / 2022-May-19 / Details and Affected Products list updated Revision 3 / 2022-Jun-21 / Details updated. Resolution added. Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmKsqCIACgkQmP4JykWF htllRwf/TqXNWPmhlqEaoVPdzBE9QseL6xfTK9nWdcrffmEaY+CvgL1o3jDctSs2 cZ0aexRLB1nNHWYSCVJzvfrYnxe2YMWlxIx1Nigk13J9Kojh73YdeEnVEtR2kdAx xw14/rZnNQ9jiWXNcIbWZrZvKuaoZwPZRvkdbxX2fZ3f3d5UgTniD0q0+I63cdBG RLeGYFcBP5e+LBkdcaGNBdyLi3f9Moiwo+L9LP0hzUn4Cmt5eO5RvdjMCD9lPskI ixweTQ9U1MjvqKnZA44ZsBAXDdyYbViYbgCmME/+FWeL9eSyoFyNBuYYeM3CZ53e 1twdT/AAu8g77E0vpYqKjktB24uNoA== =KOG6 -----END PGP SIGNATURE-----