-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-015 CVE: CVE-2022-37913, CVE-2022-37914, CVE-2022-37915 Publication Date: 2022-Oct-11 Status: Confirmed Severity: Critical Revision: 1 Title ===== Multiple Vulnerabilities in Aruba EdgeConnect Enterprise Orchestrator Overview ======== Aruba has released patches for Aruba EdgeConnect Enterprise Orchestrator that address multiple security vulnerabilities. Affected Products ================= - Aruba EdgeConnect Enterprise Orchestrator (on-premises) - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service - Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.1.2.40051 and below - Orchestrator 9.0.7.40108 and below - Orchestrator 8.10.23.40009 and below - Any older branches of Orchestrator not specifically mentioned Versions of Aruba EdgeConnect Enterprise Orchestrator that are end of life are affected by these vulnerabilities unless otherwise indicated. Details ======= Authentication Bypass Leading to System Takeover in Aruba EdgeConnect Enterprise Orchestrator Web-Based Management Interface (CVE-2022-37913, CVE-2022-37914) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to bypass authentication. Successful exploitation of these vulnerabilities could allow an attacker to gain administrative privileges leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host. Internal References: ATLSP-12, ATLSP-25 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Unauthenticated Remote Code Execution in Aruba EdgeConnect Enterprise Orchestrator Web-Based Management Interface (CVE-2022-37915) --------------------------------------------------------------------- A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. Internal References: ATLWL-313 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Affected: This vulnerability only affected the versions listed - Aruba EdgeConnect Enterprise Orchestrator (on-premises) - 9.1.x branch only - Any 9.1.x Orchestrator instantiated as a new machine with a release prior to 9.1.3.40197 - Orchestrators upgraded to 9.1.x were not affected. Resolution: If you have a version of Aruba EdgeConnect Enterprise Orchestrator (on-premises) that you believe is affected from the above criteria, please reach out to TAC for resolution assistance. Resolution ========== Upgrade Aruba EdgeConnect Enterprise Orchestrator to one of the following versions with the fixes to resolve all issues noted in the details section. - Aruba EdgeConnect Enterprise Orchestrator (on-premises) - Orchestrator 9.2.0.40405 and above - Orchestrator 9.1.3.40197 and above - Orchestrator 9.0.7.40110 and above - Orchestrator 8.10.23.40015 and above - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service - TAC will automatically create a support case for Aruba (Silver Peak) hosted Orchestrators to be upgraded. - Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Service providers must upgrade all tenants to a patched version listed above Aruba does not evaluate or patch product versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - Aruba EdgeConnect Enterprise Orchestrator 9.2.x - Aruba EdgeConnect Enterprise Orchestrator 9.1.x - Aruba EdgeConnect Enterprise Orchestrator 9.0.x - Aruba EdgeConnect Enterprise Orchestrator 8.10.x For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Oct-11 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmM9iKkXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtk6hgf+Pog4Ikx66VHFIjT7owVLkbJ8 HK65RReWCqE8ruyeIeySQa4nZJ+nJZRaHagnunkRNeteC67ETo77Go8NetZ+XKnU SJ5AUF60+M8Yog4OOloNG8/ki0Eh/HZT6Stge+j/dJ1d+3QL78SPrFpUBEUWNOTM hTgwrkP+IZZJCJYHz+dy2bBNF5wwyzRau5xokoxAHzuJt4No01fTWQT3NWipPoBJ eNZKwDLMJBQCQGONY2yWCIs1QZZUQ3z7Ag7JbiJcRApSI91rxKbcCau5+14VmOZd PwUnVt85ijaQCxFO6yJXUgwrjYF/XjpP4IdcoKOCxOYquNVZzYgDFL+Iz9FWcQ== =HYd8 -----END PGP SIGNATURE-----