-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-002 CVE: CVE-2021-3712, CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, CVE-2023-22750, CVE-2023-22751, CVE-2023-22752, CVE-2023-22753, CVE-2023-22754, CVE-2023-22755, CVE-2023-22756, CVE-2023-22757, CVE-2023-22758, CVE-2023-22759, CVE-2023-22760, CVE-2023-22761, CVE-2023-22762, CVE-2023-22763, CVE-2023-22764, CVE-2023-22765, CVE-2023-22766, CVE-2023-22767, CVE-2023-22768, CVE-2023-22769, CVE-2023-22770, CVE-2023-22771, CVE-2023-22772, CVE-2023-22773, CVE-2023-22774, CVE-2023-22775, CVE-2023-22776, CVE-2023-22777, CVE-2023-22778 Publication Date: 2023-Feb-28 Last Update: 2023-Mar-10 Status: Confirmed Severity: Critical Revision: 2 Title ===== ArubaOS Multiple Vulnerabilities Overview ======== Aruba has released patches for ArubaOS that address multiple security vulnerabilities. Affected Products ================= - - - - Aruba Mobility Conductor (formerly Mobility Master) - - - - Aruba Mobility Controllers - - - - WLAN Gateways and SD-WAN Gateways managed by Aruba Central Affected Software Versions: - ArubaOS 8.6.x.x: 8.6.0.19 and below - ArubaOS 8.10.x.x: 8.10.0.4 and below - ArubaOS 10.3.x.x: 10.3.1.0 and below - SD-WAN 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.8 and below Updating a branch of ArubaOS to the version listed in the Resolution section at the end of this advisory resolve all known issues with that branch. The following ArubaOS and SD-WAN software versions that are End of Life are affected by these vulnerabilities and are not patched by this advisory: - - - - ArubaOS 6.5.4.x: all - - - - ArubaOS 8.7.x.x: all - - - - ArubaOS 8.8.x.x: all - - - - ArubaOS 8.9.x.x: all - - - - SD-WAN 8.6.0.4-2.2.x.x: all Details ======= Multiple Unauthenticated Command Injections in the PAPI Protocol (CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, CVE-2023-22750) --------------------------------------------------------------------- There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-250, ATLWL-316, ATLWL-317, ATLWL-318 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability. Please contact Aruba Support for any configuration assistance. Unauthenticated Stack-Based Buffer Overflow Vulnerabilities in the PAPI Protocol (CVE-2023-22751, CVE-2023-22752) --------------------------------------------------------------------- There are stack-based buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-252, ATLWL-331 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability. Please contact Aruba Support for any configuration assistance. Unauthenticated Buffer Overflow Vulnerabilities in ArubaOS Processes (CVE-2023-22753, CVE-2023-22754, CVE-2023-22755, CVE-2023-22756, CVE-2023-22757) --------------------------------------------------------------------- There are buffer overflow vulnerabilities in multiple underlying operating system processes that could lead to unauthenticated remote code execution by sending specially crafted packets via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-194, ATLWL-269 Severity: High CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Haoliang Lu at the WuHeng Lab of ByteDance. Resolved Versions: Please note that due the complexity of code changes involved it was not possible to backport changes for these specific vulnerabilities (CVE-2023-22753, CVE-2023-22754, CVE-2023-22755, CVE-2023-22756, CVE-2023-22757) to ArubaOS 8.6.x. Customers using firmware versions in the 8.6.x branch are urged to implement the workaround listed in this section or to upgrade to ArubaOS 8.10.x. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability. Please contact Aruba Support for any configuration assistance. Authenticated Read Buffer Overruns Processing ASN.1 Strings in ArubaOS (CVE-2021-3712) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information via the ArubaOS web-based management interface. Successful exploitation allows an attacker to gain access to some data in a cleartext format exposing other network infrastructure to further compromise. Internal references: ATLWL-295 Severity: High CVSSv3.1 Overall Score: 7.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H Discovery: This vulnerability was discovered and reported by Ingo Schwarze. Workaround: See the Workaround section at the end of this document. Authenticated Remote Command Execution in ArubaOS Web-based Management Interface (CVE-2023-22758, CVE-2023-22759, CVE-2023-22760, CVE-2023-22761) --------------------------------------------------------------------- Authenticated remote command injection vulnerabilities exist in the ArubaOS web-based management interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. Internal references: ATLWL-177, ATLWL-265, ATLWL-274, ATLWL-276 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz), Erik de Jong (bugcrowd.com/erikdejong) and Nikita Abramov via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS web-based management interface from all untrusted users. Authenticated Remote Command Execution in the ArubaOS Command Line Interface (CVE-2023-22762, CVE-2023-22763, CVE-2023-22764, CVE-2023-22765, CVE-2023-22766, CVE-2023-22767, CVE-2023-22768, CVE-2023-22769, CVE-2023-22770) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-103, ATLWL-203, ATLWL-206, ATLWL-221, ATLWL-227, ATLWL-229, ATLWL-240, ATLWL-314, ATLWL-319 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) and Daniel Jensen (@dozernz) via Aruba's bug bounty program. Workaround: See the Workaround section at the end of this document. Insufficient Session Expiration in ArubaOS Command Line Interface (CVE-2023-22771) --------------------------------------------------------------------- An insufficient session expiration vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of impacted account. Internal References: ATLWL-117 Severity: Medium CVSSv3 Overall Score: 6.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Mitchell Pompe of Netskope. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Path Traversal in ArubaOS Web-based Management Interface Allows for Arbitrary File Deletion. (CVE-2023-22772) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to delete arbitrary files in the underlying operating system. Internal References: ATLWL-277 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: This vulnerability was discovered and reported by Nikita Abramov via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS web-based management interface from all untrusted users. Authenticated Path Traversal in ArubaOS Command Line Interface Allows for Arbitrary File Deletion. (CVE-2023-22773, CVE-2023-22774) --------------------------------------------------------------------- Authenticated path traversal vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files in the underlying operating system. Internal References: ATLWL-228, ATLWL-230 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Sensitive Information Disclosure in ArubaOS Command Line Interface (CVE-2023-22775) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information on the ArubaOS command line interface. Successful exploitation could allow access to data beyond what is authorized by the users existing privilege level. Internal Reference: ATLWL-121 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Remote Path Traversal in ArubaOS Command Line Interface Allows for Arbitrary File Read (CVE-2023-22776) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files. Internal references: ATLWL-127 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Nicholas Starke of Aruba Threat Labs. Workaround: Block access to the ArubaOS Command Line Interface from all untrusted users. Authenticated Information Disclosure in ArubaOS Web-based Management Interface (CVE-2023-22777) --------------------------------------------------------------------- An authenticated information disclosure vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files in the underlying operating system. Internal References: ATLWL-275 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Nikita Abramov via Aruba's Bug Bounty Program. Workaround: Block access to the ArubaOS web-based management interface from all untrusted users. Authenticated Stored Cross-Site Scripting (CVE-2023-22778) --------------------------------------------------------------------- A vulnerability in the ArubaOS web management interface could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal Reference: ATLWL-32 Severity: Medium CVSSv3 Overall Score: 4.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Phil Purviance (@superevr) via Aruba's Bug Bounty Program. Workaround: See the Workaround section at the end of this document. Resolution ========== PLEASE NOTE - To fully patch the unauthenticated buffer overflow vulnerabilities disclosed above customers must upgrade to the following versions: - ArubaOS 8.10.x.x: 8.10.0.5 and above - ArubaOS 8.11.x.x: 8.11.0.0 and above - ArubaOS 10.3.x.x: 10.3.1.1 and above - SD-WAN 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.9 and above Customers who choose to implement the workarounds listed in the Workaround section below should note that all other vulnerabilities listed in this document are addressed by the following versions: - ArubaOS 8.6.x.x: 8.6.0.20 and above - please note that not all issues are fixed in 8.6.x.x. See the Details section above for specific information - ArubaOS 8.10.x.x: 8.10.0.5 and above - ArubaOS 8.11.x.x: 8.11.0.0 and above - ArubaOS 10.3.x.x: 10.3.1.1 and above - SD-WAN 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.9 and above Aruba does not evaluate or patch ArubaOS branches that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the communication between Controller/Gateways and Access-Points be restricted either by having a dedicated layer 2 segment/VLAN or, if Controller/Gateways and Access-Points cross layer 3 boundaries, to have firewall policies restricting the communication of these authorized devices. Enabling the Enhanced PAPI Security feature will prevent the PAPI-specific vulnerabilities above from being exploited Vulnerability specific workarounds are listed per vulnerability above. Please note that this advisory contains specific workarounds and patching instructions for critical security vulnerabilities. Contact Aruba Support for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2023-Feb-28 / Initial release Revision 2 / 2023-Mar-10 / Changed reporter acknowlegement for Haoliang Lu Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmQHXhkXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtltMQf+IzBMdMX11OLcECST5p/ASKGE PlgrJ5c4qa9Hw3S2JnMxKY8gidWBLpISLZef7/ufJ3uECisQPxHFZrUbg4kD0f8J 2BG7tTaXzJ53UbFRXeJNj486A7QPk61kyS1Tr499vtOQYeTgOJUlV4DZfMh0DAwW GIRg1Fnt2hcHSXEywIR8T3F0Ih1aKE69fLAip7FNGNXajm+Er7429SbmW7eIRJVl DPxWDulZW2NLGmStpNsosY9UPIfIDjPL8pKYtl/Gf7W8tzzWUy77Yfj0Sg5mNmEE T4jBrv6KisH1R9EexiOraBaxrGa5CpM+nvvN5YSBpP0eXOe5DR/ZYxURxgThOQ== =k/n1 -----END PGP SIGNATURE-----