-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-018 CVE: CVE-2022-37919, CVE-2022-37920, CVE-2022-37921, CVE-2022-37922, CVE-2022-37923, CVE-2022-37924, CVE-2022-37925, CVE-2022-37926, CVE-2022-43518, CVE-2022-43541, CVE-2022-43542, CVE-2022-44532, CVE-2022-44533 Publication Date: 2022-Nov-22 Status: Confirmed Severity: High Revision: 1 Title ===== Multiple Vulnerabilities in Aruba EdgeConnect Enterprise Overview ======== Aruba has released patches for Aruba EdgeConnect Enterprise that address multiple security vulnerabilities. Affected Products ================= - Aruba EdgeConnect Enterprise - ECOS 9.2.1.0 and below - ECOS 9.1.3.0 and below - ECOS 9.0.7.0 and below - ECOS 8.3.7.1 and below Versions of Aruba EdgeConnect Enterprise that are end of life are affected by these vulnerabilities unless otherwise indicated. Unaffected Products =================== Any other Aruba products not specifically listed above are not affected by these vulnerabilities. Details ======= Unauthenticated Denial-of-Service (DoS) Condition in Aruba EdgeConnect Enterprise API (CVE-2022-37919) -------------------------------------------------------------- A vulnerability exists in the API of Aruba EdgeConnect Enterprise. An unauthenticated attacker can exploit this condition via the web-based management interface to create a denial-of-service condition which prevents the appliance from properly responding to API requests. Internal Reference: ATLSP-2 Severity: High CVSSv3.x Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Aruba's internal engineering team Authenticated Remote Code Execution in Aruba EdgeConnect Enterprise Command Line Interface Leading to Full System Compromise (CVE-2022-37920, CVE-2022-37921, CVE-2022-37922, CVE-2022-37923, CVE-2022-37924, CVE-2022-43541, CVE-2022-43542) --------------------------------------------------------------------- Vulnerabilities in the Aruba EdgeConnect Enterprise command line interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLSP-31, ATLSP-32, ATLSP-36, ATLSP-37, ATLSP-39, ATLSP-41, ATLSP-46 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Bill Marquette, Daniel Jensen (@dozernz), and Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Authenticated Remote Code Execution in Aruba EdgeConnect Enterprise Web Management Interface Leading to Full System Compromise (CVE-2022-44533) --------------------------------------------------------------------- A vulnerability in the Aruba EdgeConnect Enterprise web management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLSP-52 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Reflected Cross Site Scripting Vulnerability (XSS) in Aruba EdgeConnect Enterprise Web Management Interface (CVE-2022-37925) --------------------------------------------------------------------- A vulnerability within the web-based management interface of Aruba EdgeConnect Enterprise could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLSP-35 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Stored Cross Site Scripting Vulnerability (XSS) in EdgeConnect Enterprise Web Management Interface via File Upload (CVE-2022-37926) --------------------------------------------------------------------- A vulnerability within the web-based management interface of EdgeConnect Enterprise could allow a remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface by uploading a specially crafted file. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLSP-40 Severity: Medium CVSSv3 Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Bill Marquette via Aruba's Bug Bounty Program. Authenticated Remote Path Traversal in Aruba EdgeConnect Enterprise Web Interface Allows for Arbitrary File Read (CVE-2022-43518) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise web interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files. Internal References: ATLSP-24 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Remote Path Traversal in Aruba EdgeConnect Enterprise Command Line Interface Allows for Arbitrary File Read (CVE-2022-44532) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files. Internal References: ATLSP-29 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Resolution ========== Upgrade Aruba EdgeConnect Enterprise to one of the following versions to resolve all issues noted in the details section. - Aruba EdgeConnect Enterprise - ECOS 9.2.2.0 and above - ECOS 9.1.4.0 and above - ECOS 9.0.8.0 and above - ECOS 8.3.8.0 and above Aruba does not evaluate or patch product versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - Aruba EdgeConnect Enterprise 9.2.x - Aruba EdgeConnect Enterprise 9.1.x - Aruba EdgeConnect Enterprise 9.0.x - Aruba EdgeConnect Enterprise 8.3.x For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Nov-22 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmNjx2sXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtl8Ugf+NPYBlbSRZBuitTDhuAA1aqh3 b3Iy08BQK/U7NLHSwHpJUFyv7+at54/Mp57RiruBOvp0xcVpsCzJE+lY6qXtaAaY utQYcXNCcz+8G3gWe7DXrUikMk56k9i/+VDSvQJ1Fn7RCm89iwnHauoVQVi4Kh6u b/vCyCyljWBFNxA2JGjGiKqJbj6tp9ErowwTGqzwyw1TieH5Fzo/lIR4mPvT0itd t7HhQIlCrkSb0nj8qLvG+g25XZ+ToHGOP4Xda5M7ISn4kKxUkpQfjptXR3HgKNOm gG641FqqP3ZGOqwF6dyxslo0JU7Em3zbJIyTC+23fVF9EpARFudrJbspUYHLsA== =ciDp -----END PGP SIGNATURE-----