-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-007 CVE: CVE-2023-30501, CVE-2023-30502, CVE-2023-30503, CVE-2023-30504, CVE-2023-30505, CVE-2023-30506, CVE-2023-30507, CVE-2023-30508, CVE-2023-30509, CVE-2023-30510 Publication Date: 2023-May-23 Status: Confirmed Severity: High Revision: 1 Title ===== Multiple Vulnerabilities in Aruba EdgeConnect Enterprise Overview ======== Aruba has released patches for Aruba EdgeConnect Enterprise that address multiple security vulnerabilities. Affected Products ================= - Aruba EdgeConnect Enterprise - ECOS 9.2.x.x: 9.2.3.0 and below - ECOS 9.1.x.x: 9.1.5.0 and below - ECOS 9.0.x.x: 9.0.8.0 and below - ECOS 8.x and below are affected and out of maintenance Versions of Aruba EdgeConnect Enterprise that are end of life are affected by these vulnerabilities unless otherwise indicated. Unaffected Products =================== Any other Aruba products not specifically listed above are not affected by these vulnerabilities. Details ======= Authenticated Remote Code Execution in Aruba EdgeConnect Enterprise Command Line Interface (CVE-2023-30501, CVE-2023-30502, CVE-2023-30503, CVE-2023-30504, CVE-2023-30505, CVE-2023-30506) --------------------------------------------------------------------- Vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface that allow remote authenticated users to run arbitrary commands on the underlying host. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLSP-30, ATLSP-55, ATLSP-58 ATLSP-59, ATLSP-60, ATLSP-62 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Block access to the ECOS command line interface from all untrusted users. Authenticated Remote Path Traversal in Aruba EdgeConnect Enterprise Command Line Interface (CVE-2023-30507, CVE-2023-30508, CVE-2023-30509) --------------------------------------------------------------------- Multiple authenticated path traversal vulnerabilities exist in the Aruba EdgeConnect Enterprise command line interface. Successful exploitation of these vulnerabilities result in the ability to read arbitrary files on the underlying operating system, including sensitive system files. Internal References: ATLSP-28, ATLSP-57, ATLSP-61 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program. Workaround: Block access to the ECOS command line interface from all untrusted users. Authenticated Server-side Request Forgery in Aruba EdgeConnect Enterprise Web Management Interface (CVE-2023-30510) --------------------------------------------------------------------- A vulnerability exists in the Aruba EdgeConnect Enterprise web management interface that allows remote authenticated users to issue arbitrary URL requests from the Aruba EdgeConnect Enterprise instance. The impact of this vulnerability is limited to a subset of URLs which can result in the possible disclosure of data due to the network position of the Aruba EdgeConnect Enterprise instance. Internal References: ATLSP-42 Severity: Medium CVSSv3 Overall Score: 4.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program. Workaround: Block access to the Aruba EdgeConnect Web Management interface from all untrusted users. Resolution ========== Upgrade Aruba EdgeConnect Enterprise to one of the following versions to resolve all issues noted in the details section. - Aruba EdgeConnect Enterprise - ECOS 9.3.x.x: 9.3.0.0 and above - ECOS 9.2.x.x: 9.2.4.0 and above - ECOS 9.1.x.x: 9.1.6.0 and above - ECOS 9.0.x.x: 9.0.9.0 and above Aruba does not evaluate or patch product versions that have reached their End of Support (EoS) milestone. Supported versions as of the publication date of this advisory are: - Aruba EdgeConnect Enterprise 9.3.x.x - Aruba EdgeConnect Enterprise 9.2.x.x - Aruba EdgeConnect Enterprise 9.1.x.x - Aruba EdgeConnect Enterprise 9.0.x.x Note: EdgeConnect release 9.0 reaches end of maintenance as of June 20, 2023. ECOS 9.0.9.0 will be the last release in the 9.0 release stream. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2023-May-23 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmQ9vqIXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtmrmgf/cYwQx7FB0obEQ+mmn2TWpiU5 jCnkqYiy+eJ5Gp68yodtoKBGXC0q8/CfHUTvV554HukGDp+o5UoejXNsPRHIn2eF heRjcYjw9qavBpA8tUMKpRDk8y0h4yXBzPekCstpnnPFqkmDnuX/k6Ozq8WlJdSr JgQWSIEq+gUJL+jFecSgtnlAPQKTbxmb5zHsdRWcw/5bkgsiETFRi4CXciuC75Jl 8yd/LXjCxaQBH0IjvZ4uN2lv36Q1yOFDUtlwSX7hXKkbkqLInaoFlyY7GES4lB9R bd5J9eNfEA41c82cwt7zG6vul02rYOfqR9NLCtLcIgyBgEoCNx+V9QmaCosw0Q== =gWJz -----END PGP SIGNATURE-----