-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-021 CVE: CVE-2022-43519, CVE-2022-43520, CVE-2022-43521, CVE-2022-43522, CVE-2022-43523, CVE-2022-43524, CVE-2022-43525, CVE-2022-43526, CVE-2022-43527, CVE-2022-43528, CVE-2022-43529, CVE-2022-44534, CVE-2022-44535 Publication Date: 2022-Dec-13 Status: Confirmed Severity: High Revision: 1 Title ===== Multiple Vulnerabilities in Aruba EdgeConnect Enterprise Orchestrator Overview ======== Aruba has released patches for Aruba EdgeConnect Enterprise Orchestrator that address multiple security vulnerabilities. Affected Products ================= - - Aruba EdgeConnect Enterprise Orchestrator (on-premises) - - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service - - Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below - Orchestrator 9.1.4.40436 and below - Orchestrator 9.0.7.40110 and below - Orchestrator 8.10.23.40015 and below - Any older branches of Orchestrator not specifically mentioned Versions of Aruba EdgeConnect Enterprise Orchestrator that are end of life are affected by these vulnerabilities unless otherwise indicated. Unaffected Products =================== Any other Aruba products not specifically listed above are not affected by these vulnerabilities. Details ======= Authenticated SQL Injection Vulnerabilities in Aruba EdgeConnect Enterprise Orchestrator Web-based Management Interface (CVE-2022-43519, CVE-2022-43520, CVE-2022-43521, CVE-2022-43522, CVE-2022-43523) --------------------------------------------------------------------- Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host. Internal References: ATLSP-5, ATLSP-6, ATLSP-8, ATLSP-9, ATLSP-13, ATLSP-14, ATLSP-19, ATLSP-20, ATLSP-21, ATLSP-22, ATLSP-23, ATLSP-43, ATLSP-44, ATLSP-45 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Privilege Escalation Vulnerability in Aruba EdgeConnect Enterprise Orchestrator Web-based Management Interface Leading to Full System Compromise (CVE-2022-44535) --------------------------------------------------------------------- A vulnerability in the Aruba EdgeConnect Enterprise Orchestrator web-based management interface allows remote low-privileged authenticated users to escalate their privileges to those of an administrative user. A successful exploit could allow an attacker to achieve administrative privilege on the web-management interface leading to complete system compromise. Internal References: ATLSP-50 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Stored Cross-Site Scripting Vulnerability (XSS) in Aruba EdgeConnect Enterprise Orchestrator Web Administration Interface (CVE-2022-43524) --------------------------------------------------------------------- A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLSP-47 Severity: High CVSSv3 Overall Score: 8.7 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Authenticated Remote Code Execution in Aruba EdgeConnect Enterprise Orchestrator Web-based Management Interface Leading to Full System Compromise (CVE-2022-44534) --------------------------------------------------------------------- A vulnerability in the Aruba EdgeConnect Enterprise Orchestrator web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLSP-49 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Reflected Cross Site Scripting Vulnerabilities (XSS) in Aruba EdgeConnect Enterprise Orchestrator Web Management Interface (CVE-2022-43525, CVE-2022-43526, CVE-2022-43527) --------------------------------------------------------------------- Multiple vulnerabilities within the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLSP-4, ATLSP-15, ATLSP-18 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Multi-factor Authentication Bypass in Aruba EdgeConnect Enterprise Orchestrator (CVE-2022-43528) ------------------------------------------------------ Under certain configurations, an attacker can login to Aruba EdgeConnect Enterprise Orchestrator without supplying a multi-factor authentication code. Successful exploitation allows an attacker to login using only a username and password and successfully bypass MFA requirements. Internal References: ATLSP-11 Severity: Medium CVSSv3 Overall Score: 4.8 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Failure to Properly Invalidate User Session in Aruba EdgeConnect Enterprise Orchestrator Web-Based Management Interface (CVE-2022-43529) --------------------------------------------------------------------- A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated. Internal References: ATLSP-16 Severity: Medium CVSSv3.x Overall Score: 4.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Resolution ========== Upgrade Aruba EdgeConnect Enterprise Orchestrator to one of the following versions with the fixes to resolve all issues noted in the details section. - - Aruba EdgeConnect Enterprise Orchestrator (on-premises) - Orchestrator 9.2.2.40291 and above - Orchestrator 9.1.5.40037 and above - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service - TAC will automatically create a support case for Aruba (Silver Peak) hosted Orchestrators to be upgraded. - Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Service providers must upgrade all tenants to a patched version listed above. Aruba does not evaluate or patch product versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - Aruba EdgeConnect Enterprise Orchestrator 9.2.x - Aruba EdgeConnect Enterprise Orchestrator 9.1.x Note: Aruba EdgeConnect Enterprise Orchestrator releases 8.10.x and 9.0.x have been declared End of Maintenance (EoM). This is earlier than previously published because of challenges associated with porting the security fixes covered in this advisory without introducing undue risks. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2022-Dec-13 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFKBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmNlJ70XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtk0fwf3SluSyj6psV1vEIfqbX4aAOo5 sbHfPnwE8digyIfP5695o4rdD9crmAEtLX0anOqIvbmqLEFZOqn+nYfjrkB55wzA QsRSeTnI0cXsfPtgwq6t8es3rGJYou8fs0uuW9Be9StVoDXvYXGbzIrtWX4DX2MH rBg4Iw/Xdh7S7QHt9VDLPFVptULM/tZPDIXUiKgHNEloBVDsS2LO0jIPzKPB1ISn tKsWlsbVdJakWo/NWHahJapyslKYZIwlWIDD6QBZ/aovy7CFwGonhmMBgJnFp1g1 xiRNiQZw8CWBDhtyiPhToLjE+S30usoTN1xyAtpInt1Km3RlxjCmX8FzizXc =aGJn -----END PGP SIGNATURE-----