-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-004 CVE: CVE-2023-1168 Publication Date: 2023-Mar-21 Status: Confirmed Severity: High Revision: 1 Title ===== Authenticated Remote Code Execution in Aruba CX Switches Overview ======== Aruba has released updates for wired switch products running AOS-CX that address a security vulnerability in the Network Analytics Engine (NAE). Affected Products ================= Customers using the following switch models and firmware versions are affected by the vulnerability listed in this advisory. Aruba Switch Models: - Aruba CX 10000 Switch Series - Aruba CX 9300 Switch Series - Aruba CX 8400 Switch Series - Aruba CX 8360 Switch Series - Aruba CX 8325 Switch Series - Aruba CX 8320 Switch Series - Aruba CX 6400 Switch Series - Aruba CX 6300 Switch Series - Aruba CX 6200F Switch Series Software Branch Versions: - AOS-CX 10.10.xxxx: 10.10.1020 and below. - AOS-CX 10.09.xxxx: 10.09.1020 and below. - AOS-CX 10.08.xxxx: 10.08.1070 and below. - AOS-CX 10.06.xxxx: 10.06.0230 and below. All other AOS-CX software versions that are not listed under Resolution section are unsupported and considered to be affected. Software branch versions of AOS-CX that are end of life are affected by this vulnerability unless otherwise indicated. Unaffected Products =================== Any other Aruba products not listed above including AOS-S Switches, Aruba Intelligent Edge Switches, and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Authenticated Remote Code Execution in AOS-CX Network Analytics Engine (NAE) (CVE-2023-1168) --------------------------------------------------------------------- An authenticated remote code execution vulnerability exists in the AOS-CX Network Analytics Engine. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX. Internal reference: ATLAX-69 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Resolution ========== In order to address the vulnerability in the affected release branches and switch platforms described above, it is recommended to upgrade the software to one of the following versions (as applicable): - AOS-CX 10.11.xxxx: 10.11.0001 and above. - AOS-CX 10.10.xxxx: 10.10.1030 and above. - AOS-CX 10.06.xxxx: 10.06.0240 and above. Aruba does not evaluate or patch AOS-CX firmware versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - AOS-CX 10.11.xxxx - AOS-CX 10.10.xxxx - AOS-CX 10.06.xxxx For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting this vulnerability, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target this specific vulnerability as of the release date of the advisory. Revision History ================ Revision 1 / 2023-Mar-21 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmQPgLQXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtmpRQgAsZp0VTZTe3zkrR3nee3+e5PQ +MLUn451iaRAh3Z7FGzE0OPz3nMuOlRYiZ/tHVx5XnesvlSn5FTd/7iOvYsKcu+W 1qT5nS6gLbo6CwS4OlLbMHNLAREm8OOJzm8VIjretjb2jj5bZvsari6M8u0u1sG7 2F/RhiU1fPficEvY9UaWDvcwCc+16d9egmpTmLUZ9egEagVZZGBiiC4LFWdAmG9Y mMjdNtBvIEXA0uRw0vpUOKDC7CnHKrLujkedQijt0SV0o0HIJlyxLHeF1HdaQQWM 5/XSXiyeuV6h1ffe0+E0Td249McHB+ffT+594pQk8Zb6pfHkFeNpaS/v5SeBmw== =Q26C -----END PGP SIGNATURE-----