-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2022-014
CVE: CVE-2002-20001, CVE-2022-37885, CVE-2022-37886,
     CVE-2022-37887, CVE-2022-37888, CVE-2022-37889,
     CVE-2022-37890, CVE-2022-37891, CVE-2022-37892,
     CVE-2022-37893, CVE-2022-37894, CVE-2022-37895,
     CVE-2022-37896
Publication Date: 2022-Sep-27
Status: Confirmed
Severity: Critical
Revision: 1


Title
=====
Aruba Access Points Multiple Vulnerabilities


Overview
========
Aruba has released patches for Aruba access points running
InstantOS and ArubaOS 10 that address multiple security
vulnerabilities.


Affected Products
=================
Aruba Access Points running InstantOS and ArubaOS 10
                                
Affected versions:
  - Aruba InstantOS 6.4.x:  6.4.4.8-4.2.4.20 and below
  - Aruba InstantOS 6.5.x:  6.5.4.23 and below
  - Aruba InstantOS 8.6.x:  8.6.0.18 and below
  - Aruba InstantOS 8.7.x:  8.7.1.9 and below
  - Aruba InstantOS 8.10.x: 8.10.0.1 and below
  - ArubaOS 10.3.x:         10.3.1.0 and below

Branches that are end of life should be considered to be
affected. Impacted customers should plan to upgrade to a
supported branch. Supported branches as of the release of this
advisory are:
 
  - InstantOS 6.4.x-4.2.x 
  - InstantOS 6.5.4.x
  - InstantOS 8.6.x
  - InstantOS 8.7.x
  - InstantOS 8.10.x
  - ArubaOS 10.3.1.x


Unaffected Products
===================
Aruba Mobility Conductor, Aruba Mobility Controllers,
Access-Points when managed by Mobility Controllers and Aruba
SD-WAN Gateways are not affected by these vulnerabilities. Aruba
InstantOn is also not affected by these vulnerabilities.


Details
=======

  Buffer Overflow Vulnerabilities in the PAPI protocol
  (CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, 
   CVE-2022-37888, CVE-2022-37889)
  --------------------------------------------------------------
    There are buffer overflow vulnerabilities in multiple
    underlying services that could lead to unauthenticated remote
    code execution by sending specially crafted packets destined
    to the PAPI (Aruba Networks AP management protocol) UDP port
    (8211). Successful exploitation of these vulnerabilities
    results in the ability to execute arbitrary code as a
    privileged user on the underlying operating system.

    Internal References: ATLWL-253, ATLWL-254, ATLWL-299,
                         ATLWL-300, ATLWL-302
    Severity: Critical 
    CVSSv3 Overall Score: 9.8 
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Discovery: These vulnerabilities were discovered and reported
    by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's bug
    bounty program.

    Workaround: Enabling CPSec via the cluster-security command
    will prevent the vulnerabilities from being exploited in
    Aruba InstantOS devices running 8.x or 6.x code. For ArubaOS
    10 devices this is not an option and instead access to port
    UDP/8211 must be blocked from all untrusted networks. Please
    contact TAC for configuration assistance.


  Unauthenticated Buffer Overflow in Web Management Interface
  (CVE-2022-37890, CVE-2022-37891) 
  --------------------------------------------------------------------- 
    Unauthenticated buffer overflow vulnerabilities exist        
    within the Aruba InstantOS and ArubaOS 10 web management      
    interface. Successful exploitation results in the execution  
    of arbitrary commands on the underlying operating system.    

    Internal References: ATLWL-102, ATLWL-268
    Severity: Critical 
    CVSSv3 Overall Score: 9.8
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Discovery: These vulnerabilities were discovered and reported
    by Nikita Abramov of Positive Technologies and Nicholas
    Starke of Aruba Threat Labs

    Workaround: See general workaround after the resolution
    section at the end of this document


  Unauthenticated Stored Cross-Site Scripting 
  (CVE-2022-37892) 
  --------------------------------------------------------------------- 
    A vulnerability in the Aruba InstantOS and ArubaOS 10 web
    management interface could allow an unauthenticated remote
    attacker to conduct a stored cross-site scripting (XSS)
    attack against a user of the interface. A successful exploit
    could allow an attacker to execute arbitrary script code in a
    victim’s browser in the context of the affected interface.

    Internal Reference: ATLWL-168
    Severity: High 
    CVSSv3 Overall Score: 8.1
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

    Discovery: This vulnerability was discovered and reported by
    Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program.

    Workaround: See general workaround after the resolution
    section at the end of this document


  Diffie-Hellman Key Agreement Protocol Vulnerability
  (CVE-2002-20001)
  ---------------------------------------------------------------------
    The Diffie-Hellman Key Agreement Protocol allows remote
    attackers (from the client side) to send arbitrary numbers
    that are actually not public keys and trigger expensive
    server-side DHE modular-exponentiation calculations,
    aka a D(HE)ater attack. Successful exploitation of this
    vulnerability can lead to a denial of service on the affected
    access point.

    Internal Reference: ATLWL-266
    Severity: High
    CVSSv3.1 Overall Score: 7.5
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    
    Discovery: This vulnerability was discovered and reported by 
    Jean-francois Raymond and Anton Stiglic.                     

    Workaround: See general workaround after the resolution
    section at the end of this document

    Please see the following link for more details:
    https://www.researchgate.net/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol
      

  Authenticated Remote Command Execution in Aruba InstantOS or
  ArubaOS 10 Command Line Interface
  (CVE-2022-37893)  
  --------------------------------------------------------------------- 
    An authenticated command injection vulnerability exists in   
    the Aruba InstantOS and ArubaOS 10 command line interface.    
    Successful exploitation of this vulnerability results in the 
    ability to execute arbitrary commands as a privileged user   
    on the underlying operating system.                          

    Internal Reference: ATLWL-97
    Severity: High 
    CVSSv3 Overall Score: 7.2 
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Discovery: This vulnerability was discovered and reported by
    Erik de Jong (bugcrowd.com/erikdejong) via Aruba's bug bounty
    program.

    Workaround: See general workaround after the resolution
    section at the end of this document


  Unauthenticated Denial of Service (DoS) via faulty processing
  of SSID strings
  (CVE-2022-37894)  
  --------------------------------------------------------------------- 
    An unauthenticated Denial of Service (DoS) vulnerability     
    exists in the handling of certain SSID strings by Aruba      
    InstantOS and ArubaOS 10. Successful exploitation of this     
    vulnerability results in the ability to interrupt the normal 
    operation of the affected AP.                                

    Internal Reference: ATLWL-242
    Severity: Medium 
    CVSSv3 Overall Score: 6.5
    CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Discovery: This vulnerability was discovered and reported by
    Bill Bushong of Gyver Technologies.

    Workaround: None

  
  Authenticated Denial of Service (DoS) in Aruba InstantOS or
  ArubaOS 10 Web Management Interface
  (CVE-2022-37895)  
  --------------------------------------------------------------------- 
    An authenticated Denial of Service (DoS) vulnerability       
    exists in the Aruba InstantOS and ArubaOS 10 web management   
    interface. Successful exploitation of this vulnerability     
    results in the ability to interrupt the normal operation of  
    the affected AP.                                             

    Internal Reference: ATLWL-248
    Severity: Medium 
    CVSSv3 Overall Score: 4.9 
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

    Discovery: This vulnerability was discovered and reported by
    swings (bugcrowd.com/swings) via Aruba's bug bounty program.

    Workaround: See general workaround after the resolution
    section at the end of this document


  Reflected Cross-Site Scripting
  (CVE-2022-37896) 
  --------------------------------------------------------------------- 
    A vulnerability in the Aruba InstantOS and ArubaOS 10 web
    management interface could allow a remote attacker to conduct
    a reflected cross-site scripting (XSS) attack against a
    user of the interface. A successful exploit could allow an
    attacker to execute arbitrary script code in a victim’s
    browser in the context of the affected interface.

    Internal Reference: ATLWL-234
    Severity: Medium 
    CVSSv3 Overall Score: 4.8
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

    Discovery: This vulnerability was discovered and reported by
    Daniel Jensen (@dozernz) via Aruba's bug bounty program.

    Workaround: See general workaround after the resolution
    section at the end of this document


Resolution
==========
In order to address the vulnerabilities described above for the
affected release branches, it is recommended to upgrade the
software to the following versions:

  - Aruba InstantOS 6.4.x:  6.4.4.8-4.2.4.21 and above
  - Aruba InstantOS 6.5.x:  6.5.4.24 and above
  - Aruba InstantOS 8.6.x:  8.6.0.19 and above
  - Aruba InstantOS 8.7.x:  8.7.1.10 and above
  - Aruba InstantOS 8.10.x: 8.10.0.2 and above
  - ArubaOS 10.3.x:         10.3.1.1 and above
 
Aruba does not evaluate or patch Aruba InstantOS
and ArubaOS 10 software branches that have reached
their End of Support (EoS) milestone. For more
information about Aruba's End of Support policy visit:
https://www.arubanetworks.com/support-services/end-of-life/


Workaround
==========
To minimize the likelihood of an attacker exploiting these
vulnerabilities, Aruba recommends that the CLI and web-based
management interfaces be restricted to a dedicated layer 2
segment/VLAN and/or controlled by firewall policies at layer 3
and above.

Vulnerability specific workarounds are listed per vulnerability
above. Contact Aruba TAC for any configuration assistance.


Exploitation and Public Discussion 
==================================
Aruba is not aware of any public discussion or exploit code that
target these specific vulnerabilities as of the publication of
this advisory.


Revision History
================
Revision 1 / 2022-Sep-27 / Initial release


Aruba SIRT Security Procedures 
==============================
Complete information on reporting security vulnerabilities in
Aruba Networks products and obtaining assistance with security
incidents is available at:

https://www.arubanetworks.com/support-services/security-bulletins/ 

 
For reporting *NEW* Aruba Networks security issues, email can
be sent to aruba-sirt(at)hpe.com. For sensitive information we
encourage the use of PGP encryption. Our public keys can be found
at:

https://www.arubanetworks.com/support-services/security-bulletins/ 
 

(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise
company. This advisory may be redistributed freely after the
release date given at the top of the text, provided that the
redistributed copies are complete and unmodified, including all
data and version information.
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmMky2QXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtn62wgApoJQx1oap7UM+qa1yu6+U/8+
U/2SqTWw+ZS6pp7rgS83yYdnvIv+PZHg5Ob+b7Ym9W9/w9Nv60ZEv3yxg/c4W8oF
03i5q+syGOVtdRGqTJ/cjYmiGpFZVNOiqIqxm1fHXLZK8pSshNud9mN/GFY8IQS5
1zx5oRIXxK6OxOmENG76C1MHZQyuSZDuvAgesHRe6rlIMCWPw+Xd5EcqY1F1O+hv
jgibHDVumayMyYfusozheeXJhggMq1smxwPza3J7ngirJU3cnWKaIOagCBIg0FLA
wz03N4WtgnrAlM/SjK0WzZK+5Mnr7GpOfOI1Lwl04eGeXDhZ9gIZ2d58OZwkYQ==
=UQP+
-----END PGP SIGNATURE-----