-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-005 CVE: CVE-2022-47522 Publication Date: 2023-Mar-30 Last Update: 2023-Oct-19 Status: Confirmed Severity: Low Revision: 3 Title ===== Bypassing Wi-Fi Encryption by Manipulating Transmit Queues Overview ======== Vulnerabilities that affect the way access points handle the queues of Wi-Fi frames have been published on March 27, 2023. The published paper can be found at https://papers.mathyvanhoef.com/usenix2023-wifi.pdf Affected Products ================= - ArubaOS Wi-Fi Controllers and Campus/ Remote Access Points - Aruba InstantOS / Aruba Access Points running ArubaOS 10 - Aruba Instant On Access Points See Details section for Affected Versions Unaffected Products =================== - AirWave Management Platform - Aruba Analytics and Location Engine - Aruba Central / Central On-Premises - ArubaOS SD-Branch and WLAN Gateways - All Versions - Aruba Instant On Switches - Aruba Wireless Bridge 501 - Aruba ClearPass Policy Manager - Aruba IntroSpect - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM) - Aruba NetEdit - Aruba User Experience Insight (UXI) - ArubaOS-CX Switches - ArubaOS-S Switches - HP ProCurve Switches - Aruba VIA Client - Aruba EdgeConnect Enterprise Orchestrator (on-premises) - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service - Aruba EdgeConnect Enterprise Orchestrator-SP - Aruba EdgeConnect Enterprise (ECOS) Other Aruba products not listed above are also not known to be affected by these vulnerabilities. Details ======= The paper specifically mentions certain Aruba WLAN products running ArubaOS version 8.4.0.0 as affected. After further investigation, Aruba separates the vulnerabilities described in the paper in the following 3 scenarios: 1) Exploiting Power Save Features: No Aruba Products are vulnerable to this scenario. 2) Security Context Override (SCO): All versions of the Aruba products listed under the Affected Products section are vulnerable to this attack. An attacker needs to be authenticated to the Wi-Fi network using valid credentials before being able to carry out the attack. This would imply that the vulnerability requires an insider threat to be exploited. Data encryption such as TLS prevents the disclosure of sensitive information or allowing an attacker to steal the victims session. 3) Fast Reconnect Attack: The following Aruba products and versions are affected: - ArubaOS Wi-Fi Controllers and Campus/ Remote Access Points - 8.9.0.3 and below - 8.6.0.20 and below - Aruba InstantOS / Aruba Access Points running ArubaOS 10 - 10.3.1.0 and below - 8.9.0.3 and below - 8.8.0.3 and below - 8.7.1.11 and below - 8.6.0.18 and below - 6.5.4.23 and below - 6.4.4.8-4.2.4.20 and below - Aruba Instant On Access Points - 2.8 and below The published paper can be found at https://papers.mathyvanhoef.com/usenix2023-wifi.pdf Resolution ========== The following firmware versions address the Fast Reconnect attack: ArubaOS Wi-Fi Controllers and Gateways - 8.10.0.0 and above - 8.6.0.21 and above (Release ETA - Late April 2023) Aruba InstantOS / Aruba Access Points running ArubaOS 10 - 10.3.1.1 and above - 8.10.0.0 and above - 8.6.0.19 and above - 6.5.4.24 and above - 6.4.4.8-4.2.4.21 and above Aruba Instant On Access Points - 2.9 and above - Please note this will auto-update in Early October 2023. Customer action is not required. Aruba does not evaluate or patch product versions that have reached their End of Development milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== None. Exploitation and Public Discussion ================================== These vulnerabilities are being widely discussed in public. The paper specifically mentions certain Aruba WLAN products running ArubaOS version 8.4.0.0 as affected. Discovery ========= These vulnerabilities were discovered by Dr. Mathy Vanhoef, Domien Schepers and Aanjhan Ranganathan. Revision History ================ Revision 1 / 2023-Mar-30 / Initial release Revision 2 / 2023-Apr-04 / Updated Overview, Affected Products, Unaffected Products, Details, Resolution and Workaround sections Revision 3 / 2023-Oct-19 / Updated Resolution Information Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmT59fAXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtm6uwf+Kuqh2nOpqkkyorLO/p3QbVqc rEzQUvcNWH0YqKlc5/IbJVSnbW+VVlgcyoUpIZrbwR4LVvRLj1fo2OdyZ3dmmwFC FusCzx7JLQ2Kg/EU5nO9joAhff4E7eV70S5JPE7djzKACnys1jRV9/H5MmaMGXol RfxEJ8EGTzwC9j9S5Ve7fU29RDpR0ADmNjDFBdnUJcRENfFYcgLCKGUQeblC/WSV rEjS9RtN0712KbI4eSb8iWY2kzimrUiiKvwBrDIQRZd7ELxI8nEHck9aO82z2EcC YxSA+TzfWpleHzThnZxy3ICn5Dt+j5NORMd3wgqDMJzymWdMgSO0sqU/usAGuA== =X03C -----END PGP SIGNATURE-----