-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-016 CVE: CVE-2022-37897, CVE-2022-37898, CVE-2022-37899, CVE-2022-37900, CVE-2022-37901, CVE-2022-37902, CVE-2022-37903, CVE-2022-37904, CVE-2022-37905, CVE-2022-37906, CVE-2022-37907, CVE-2022-37908, CVE-2022-37909, CVE-2022-37910, CVE-2022-37911, CVE-2022-37912 Publication Date: 2022-Oct-25 Status: Confirmed Severity: Critical Revision: 1 Title ===== ArubaOS Multiple Vulnerabilities Overview ======== Aruba has released patches for ArubaOS that address multiple security vulnerabilities. Affected Products ================= - Aruba Mobility Conductor (formerly Mobility Master) - Aruba Mobility Controllers - WLAN Gateways and SD-WAN Gateways managed by Aruba Central Affected Software Versions: - ArubaOS 6.5.4.x : ArubaOS 6.5.4.22 and below - ArubaOS 8.6.x.x : ArubaOS 8.6.0.17 and below - ArubaOS 8.7.x.x : ArubaOS 8.7.1.9 and below - ArubaOS 10.3.x.x : 10.3.0.0 - SD-WAN 8.7.0.0-2.3.0.x : 8.7.0.0-2.3.0.6 and below The following ArubaOS and SD-WAN software versions that are End of Life should be considered to be affected by these vulnerabilities and are not patched by this advisory: - ArubaOS 8.4.x.x : all - ArubaOS 8.5.x.x : all - ArubaOS 8.8.x.x : all - ArubaOS 8.9.x.x : all - SD-WAN 8.5.0.0-2.1.x.x : all - SD-WAN 8.6.0.4-2.2.x.x : all Details ======= Command Injection in the PAPI protocol (CVE-2022-37897) --------------------------------------------------------------------- There is a command injection vulnerability that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-249 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Enabling the Enhanced PAPI Security feature where available will prevent exploitation of these vulnerabilities. Please contact TAC for assistance if needed. Authenticated Arbitrary Remote Command Execution (CVE-2022-37898, CVE-2022-37899, CVE-2022-37900, CVE-2022-37901, CVE-2022-37902, CVE-2022-37912) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal References: ATLWL-164, ATLWL-202, ATLWL-207, ATLWL-223, ATLWL-235, ATLWL-270 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) and Nikita Abramov of Positive Technologies via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Remote Command Execution via Arbitrary File Write (CVE-2022-37903) --------------------------------------------------------------------- A vulnerability exists that allows an authenticated attacker to overwrite an arbitrary file with attacker-controlled content via the web interface. Successful exploitation of this vulnerability could lead to full compromise the underlying host operating system. Internal Reference: ATLWL-238 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Jens Krabbenhoeft via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS web interface from all untrusted users. Authenticated Boot Sequence Modification in ArubaOS (CVE-2022-37904, CVE-2022-37905) --------------------------------------------------------------------- Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system. Internal References: ATLWL-129, ATLWL-130 Severity: Medium CVSSv3 Overall Score: 6.6 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Nicholas Starke of Aruba Threat Labs. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Path Traversal in ArubaOS Command Line Interface (CVE-2022-37906) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the ArubaOS command line interface. Successful exploitation of the vulnerability results in the ability to delete arbitrary files on the underlying operating system. Internal References: ATLWL-231 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Denial of Service in ArubaOS Bootloader (CVE-2022-37907) --------------------------------------------------------------------- A vulnerability exists in the ArubaOS bootloader on 7xxx series controllers which can result in a denial of service (DoS) condition on an impacted system. A successful attacker can cause a system hang which can only be resolved via a power cycle of the impacted controller. Internal Reference: ATLWL-132 Severity: Medium CVSSv3 Overall Score: 5.8 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Nicholas Starke of Aruba Threat Labs. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Compromise of Bootloader Integrity (CVE-2022-37908) --------------------------------------------------------------------- An authenticated attacker can impact the integrity of the ArubaOS bootloader on 7xxx series controllers. Successful exploitation can compromise the hardware chain of trust on the impacted controller. Internal References: ATLWL-131 Severity: Medium CVSSv3 Overall Score: 5.8 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N Discovery: This vulnerability was discovered and reported by Nicholas Starke of Aruba Threat Labs. Workaround: Block access to the ArubaOS command line interface from all untrusted users. ArubaOS Sensitive Information Disclosure (CVE-2022-37909) --------------------------------------------------------------------- Aruba has identified certain configurations of ArubaOS that can lead to sensitive information disclosure from the configured ESSIDs. The scenarios in which disclosure of potentially sensitive information can occur are complex, and depend on factors beyond the control of attackers. Internal Reference: ATLWL-280 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered by Aruba TAC. Workaround: None Authenticated Buffer Overflow in ArubaOS Command Line Interface Causes Denial of Service (CVE-2022-37910) --------------------------------------------------------------------- A buffer overflow vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability results in a denial of service on the affected system. Internal Reference: ATLWL-236 Severity: Medium CVSSv3 Overall Score: 4.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated XML External Entity (XXE) Vulnerability leads to Arbitrary File Read and Denial of Service (CVE-2022-37911) --------------------------------------------------------------------- Due to improper restrictions on XML entities multiple vulnerabilities exist in the command line interface of ArubaOS. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition. Internal Reference: ATLWL-232 Severity: Low CVSSv3 Overall Score: 3.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Resolution ========== Upgrade Mobility Controllers and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section: - ArubaOS 6.5.4.x: 6.5.4.23 and above - ArubaOS 8.6.x: 8.6.0.18 and above - ArubaOS 8.7.x: 8.7.1.10 and above - ArubaOS 8.10.x: 8.10.0.0 and above - ArubaOS 10.3.x: 10.3.0.1 and above - SD-WAN-2.3.0.x: 8.7.0.0-2.3.0.7 and above Aruba does not evaluate or patch ArubaOS branches that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== In order to minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the communication between Controller/Gateways and Access-Points be restricted either by having a dedicated layer 2 segment/VLAN or, if Controller/Gateways and Access-Points cross layer 3 boundaries, to have firewall policies restricting the communication of these authorized devices. Also, enabling the Enhanced PAPI Security feature will prevent the PAPI-specific vulnerabilities above from being exploited. Contact Aruba Support for configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Oct-25 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmNPAvYXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtlYbggAqFFpy5+FXhntGWa0HOWqMIGf cVt9AxmasLbNkx6bDGN1krgSg35TgaAi7/NoxQcAn2JoPh3Jewec9uMvfO8LPB2B pLd8fdp28Obk1AOMUSs13FMW6XRz1W5uw9avCkn8uVwDc3tivQ1IGwOcOtHZ1ea6 9GndfCOzHBklYalXgdr8IS1UzCWAG12QGkXYroUFlJ17khdo53bV8JK/2TfdbFMz 9pqZlne82qvuRxy4Tl6j/B9hb9KSijblE9e10k4YNpOIdoMLsNMI91YCxSMID/LY HXPEcVnC/dPOg1cRF3rbjqMAxc/Ma9aHfsa9jjsbkY6xxDw1GVjM/dJDZlex6Q== =0Kfn -----END PGP SIGNATURE-----