-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-014 CVE: CVE-2002-20001, CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, CVE-2022-37889, CVE-2022-37890, CVE-2022-37891, CVE-2022-37892, CVE-2022-37893, CVE-2022-37894, CVE-2022-37895, CVE-2022-37896 Publication Date: 2022-Sep-27 Status: Confirmed Severity: Critical Revision: 1 Title ===== Aruba Access Points Multiple Vulnerabilities Overview ======== Aruba has released patches for Aruba access points running InstantOS and ArubaOS 10 that address multiple security vulnerabilities. Affected Products ================= Aruba Access Points running InstantOS and ArubaOS 10 Affected versions: - Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below - Aruba InstantOS 6.5.x: 6.5.4.23 and below - Aruba InstantOS 8.6.x: 8.6.0.18 and below - Aruba InstantOS 8.7.x: 8.7.1.9 and below - Aruba InstantOS 8.10.x: 8.10.0.1 and below - ArubaOS 10.3.x: 10.3.1.0 and below Branches that are end of life should be considered to be affected. Impacted customers should plan to upgrade to a supported branch. Supported branches as of the release of this advisory are: - InstantOS 6.4.x-4.2.x - InstantOS 6.5.4.x - InstantOS 8.6.x - InstantOS 8.7.x - InstantOS 8.10.x - ArubaOS 10.3.1.x Unaffected Products =================== Aruba Mobility Conductor, Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways are not affected by these vulnerabilities. Aruba InstantOn is also not affected by these vulnerabilities. Details ======= Buffer Overflow Vulnerabilities in the PAPI protocol (CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, CVE-2022-37889) -------------------------------------------------------------- There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-253, ATLWL-254, ATLWL-299, ATLWL-300, ATLWL-302 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's bug bounty program. Workaround: Enabling CPSec via the cluster-security command will prevent the vulnerabilities from being exploited in Aruba InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact TAC for configuration assistance. Unauthenticated Buffer Overflow in Web Management Interface (CVE-2022-37890, CVE-2022-37891) --------------------------------------------------------------------- Unauthenticated buffer overflow vulnerabilities exist within the Aruba InstantOS and ArubaOS 10 web management interface. Successful exploitation results in the execution of arbitrary commands on the underlying operating system. Internal References: ATLWL-102, ATLWL-268 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Nikita Abramov of Positive Technologies and Nicholas Starke of Aruba Threat Labs Workaround: See general workaround after the resolution section at the end of this document Unauthenticated Stored Cross-Site Scripting (CVE-2022-37892) --------------------------------------------------------------------- A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal Reference: ATLWL-168 Severity: High CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Workaround: See general workaround after the resolution section at the end of this document Diffie-Hellman Key Agreement Protocol Vulnerability (CVE-2002-20001) --------------------------------------------------------------------- The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. Successful exploitation of this vulnerability can lead to a denial of service on the affected access point. Internal Reference: ATLWL-266 Severity: High CVSSv3.1 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Jean-francois Raymond and Anton Stiglic. Workaround: See general workaround after the resolution section at the end of this document Please see the following link for more details: https://www.researchgate.net/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol Authenticated Remote Command Execution in Aruba InstantOS or ArubaOS 10 Command Line Interface (CVE-2022-37893) --------------------------------------------------------------------- An authenticated command injection vulnerability exists in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-97 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's bug bounty program. Workaround: See general workaround after the resolution section at the end of this document Unauthenticated Denial of Service (DoS) via faulty processing of SSID strings (CVE-2022-37894) --------------------------------------------------------------------- An unauthenticated Denial of Service (DoS) vulnerability exists in the handling of certain SSID strings by Aruba InstantOS and ArubaOS 10. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected AP. Internal Reference: ATLWL-242 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Bill Bushong of Gyver Technologies. Workaround: None Authenticated Denial of Service (DoS) in Aruba InstantOS or ArubaOS 10 Web Management Interface (CVE-2022-37895) --------------------------------------------------------------------- An authenticated Denial of Service (DoS) vulnerability exists in the Aruba InstantOS and ArubaOS 10 web management interface. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected AP. Internal Reference: ATLWL-248 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by swings (bugcrowd.com/swings) via Aruba's bug bounty program. Workaround: See general workaround after the resolution section at the end of this document Reflected Cross-Site Scripting (CVE-2022-37896) --------------------------------------------------------------------- A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal Reference: ATLWL-234 Severity: Medium CVSSv3 Overall Score: 4.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's bug bounty program. Workaround: See general workaround after the resolution section at the end of this document Resolution ========== In order to address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions: - Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.21 and above - Aruba InstantOS 6.5.x: 6.5.4.24 and above - Aruba InstantOS 8.6.x: 8.6.0.19 and above - Aruba InstantOS 8.7.x: 8.7.1.10 and above - Aruba InstantOS 8.10.x: 8.10.0.2 and above - ArubaOS 10.3.x: 10.3.1.1 and above Aruba does not evaluate or patch Aruba InstantOS and ArubaOS 10 software branches that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Vulnerability specific workarounds are listed per vulnerability above. Contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the publication of this advisory. Revision History ================ Revision 1 / 2022-Sep-27 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmMky2QXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtn62wgApoJQx1oap7UM+qa1yu6+U/8+ U/2SqTWw+ZS6pp7rgS83yYdnvIv+PZHg5Ob+b7Ym9W9/w9Nv60ZEv3yxg/c4W8oF 03i5q+syGOVtdRGqTJ/cjYmiGpFZVNOiqIqxm1fHXLZK8pSshNud9mN/GFY8IQS5 1zx5oRIXxK6OxOmENG76C1MHZQyuSZDuvAgesHRe6rlIMCWPw+Xd5EcqY1F1O+hv jgibHDVumayMyYfusozheeXJhggMq1smxwPza3J7ngirJU3cnWKaIOagCBIg0FLA wz03N4WtgnrAlM/SjK0WzZK+5Mnr7GpOfOI1Lwl04eGeXDhZ9gIZ2d58OZwkYQ== =UQP+ -----END PGP SIGNATURE-----