-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-006 CVE: CVE-2023-22779, CVE-2023-22780, CVE-2023-22781, CVE-2023-22782, CVE-2023-22783, CVE-2023-22784, CVE-2023-22785, CVE-2023-22786, CVE-2023-22787, CVE-2023-22788, CVE-2023-22789, CVE-2023-22790, CVE-2023-22791 Publication Date: 2023-May-09 Status: Confirmed Severity: Critical Revision: 1 Title ===== Aruba Access Points Multiple Vulnerabilities Overview ======== Aruba has released patches for Aruba access points running InstantOS and ArubaOS 10 that address multiple security vulnerabilities. Affected Products ================= Aruba Access Points running InstantOS and ArubaOS 10 Affected Software Versions: - ArubaOS 10.3.x: 10.3.1.0 and below - Aruba InstantOS 8.10.x: 8.10.0.4 and below - Aruba InstantOS 8.6.x: 8.6.0.19 and below - Aruba InstantOS 6.5.x: 6.5.4.23 and below - Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below The following InstantOS software versions that are End of Life are affected by these vulnerabilities and are not patched by this advisory: - InstantOS 8.9.x: all - InstantOS 8.8.x: all - InstantOS 8.7.x: all - InstantOS 8.5.x: all - InstantOS 8.4.x: all Please note that specific vulnerabilities listed below were not able to be patched in all supported software versions. See the Resolution section at the end of this document for further detail. Unaffected Products =================== Aruba Mobility Conductor, Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways are not affected by these vulnerabilities. Aruba Instant On is also not affected by these vulnerabilities. Details ======= Unauthenticated Buffer Overflow Vulnerabilities in Services Accessed by the PAPI Protocol (CVE-2023-22779, CVE-2023-22780, CVE-2023-22781, CVE-2023-22782, CVE-2023-22783, CVE-2023-22784, CVE-2023-22785, CVE-2023-22786) -------------------------------------------------------------- There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-148, ATLWL-251, ATLWL-296, ATLWL-297, ATLWL-298, ATLWL-301, ATLWL-304, ATLWL-329 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's bug bounty program. Resolution: Please note that due to the structure of these specific vulnerabilities Aruba was able to patch them only in the following branches: - ArubaOS 10.4.x: 10.4.0.0 and above - Aruba InstantOS 8.11.x: 8.11.0.0 and above - Aruba InstantOS 8.10.x: 8.10.0.3 and above Older branches and branches not specifically named are not patched. Customers unable to upgrade should consult the workaround section Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in Aruba InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact Aruba Support for configuration assistance. Unauthenticated Denial of Service (DoS) in Aruba InstantOS or ArubaOS 10 Service Accessed via the PAPI Protocol (CVE-2023-22787) --------------------------------------------------------------------- An unauthenticated Denial of Service (DoS) vulnerability exists in a service accessed via the PAPI protocol provided by Aruba InstantOS and ArubaOS 10. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-307 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's bug bounty program. Workaround: Access to port UDP/8211 must be blocked from all untrusted networks. Please contact Aruba Support for configuration assistance. Authenticated Remote Command Execution in Aruba InstantOS or ArubaOS 10 Command Line Interface (CVE-2023-22788, CVE-2023-22789, CVE-2023-22790) --------------------------------------------------------------------- Multiple authenticated command injection vulnerabilities exist in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-305, ATLWL-306, ATLWL-309 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's bug bounty program. Workaround: See the Workaround section at the end of this document. Aruba InstantOS and ArubaOS 10 Sensitive Information Disclosure (CVE-2023-22791) --------------------------------------------------------------------- A vulnerability exists in Aruba InstantOS and ArubaOS 10 where an edge-case combination of network configuration, a specific WLAN environment and an attacker already possessing valid user credentials on that WLAN can lead to sensitive information being disclosed via the WLAN. The scenarios in which this disclosure of potentially sensitive information can occur are complex and depend on factors that are beyond the control of the attacker. Internal Reference: ATLWL-241 Severity: Medium CVSSv3 Overall Score: 5.4 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N Discovery: This vulnerability was discovered by Zack Colgan of ClearBearing. Workaround: None Resolution ========== PLEASE NOTE - To fully patch the PAPI vulnerabilities disclosed above customers must upgrade to the following versions: - ArubaOS 10.4.x: 10.4.0.0 and above - Aruba InstantOS 8.11.x: 8.11.0.0 and above - Aruba InstantOS 8.10.x: 8.10.0.3 and above For those who implement the cluster-security workarounds documented in the detail sections above all other vulnerabilities except for the PAPI buffer overflow vulnerabilities are addressed by upgrading to the following versions: - ArubaOS 10.4.x: 10.4.0.0 and above - ArubaOS 10.3.x: 10.3.1.1 and above - Aruba InstantOS 8.10.x: 8.10.0.5 and above - Aruba InstantOS 8.6.x: 8.6.0.20 and above - Aruba InstantOS 6.5.x: 6.5.4.24 and above - Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.21 and above Aruba does not evaluate or patch Aruba InstantOS and ArubaOS 10 software branches that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Vulnerability specific workarounds are listed per vulnerability above. Please note that this advisory contains specific workarounds and patching instructions for critical security vulnerabilities. Contact Aruba Support for any configuration assistance. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the publication of this advisory. Revision History ================ Revision 1 / 2023-May-09 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmRY/X0XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtl1ewf/UxLH1SuqCm0xqgGlQRBVCPnS G9g7naBuu0RtTFTjgdcJfgcyYP6t62e3zv4YTEXkK8nOJpO8aEgkhAm4n5KS5UqQ Z7v9fPCXdqgdC6jjPebkumPuQiu3buod0xvZYE/ceod9cjeroiPG9DtWeXJwp2HQ 9CMXeE+DapkC3Apvi2u1X2GJcgx+wiWA/JQgBc2eixhTjME3NLAqiLFGgYzrcXkJ pnqJC0t454Pd9gzUNO4fqbcSXgAQhSEDi2RF2+/OSqX1QgvcerJo8iJHpjP+Vs/v rmPm2Q4dYugS8rZbxYCuttk5M7kOTvNJc6nhJZjGmvRIInxCx30pn5NtFx6ZiA== =C/Yf -----END PGP SIGNATURE-----