-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-008 CVE: CVE-2023-35971, CVE-2023-35972, CVE-2023-35973, CVE-2023-35974, CVE-2023-35975, CVE-2023-35976, CVE-2023-35977, CVE-2023-35978, CVE-2023-35979 Publication Date: 2023-Jul-11 Status: Confirmed Severity: High Revision: 1 Title ===== ArubaOS Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released patches for ArubaOS that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Mobility Conductor (formerly Mobility Master) - Mobility Controllers - WLAN Gateways and SD-WAN Gateways managed by Aruba Central Affected Software Versions: - ArubaOS 10.4.x.x: 10.4.0.1 and below - ArubaOS 8.11.x.x: 8.11.1.0 and below - ArubaOS 8.10.x.x: 8.10.0.6 and below - ArubaOS 8.6.x.x: 8.6.0.20 and below The following ArubaOS and SD-WAN software versions that are End of Support are affected by these vulnerabilities and are not patched by this advisory: - ArubaOS 8.9.x.x: all - ArubaOS 8.8.x.x: all - ArubaOS 8.7.x.x: all - ArubaOS 6.5.4.x: all - SD-WAN 8.7.0.0-2.3.0.x: all - SD-WAN 8.6.0.4-2.2.x.x: all Details ======= Unauthenticated Stored Cross-Site Scripting (XSS) in ArubaOS Web-based Management Interface (CVE-2023-35971) --------------------------------------------------------------------- A vulnerability in the ArubaOS web-based management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal Reference: ATLWL-311 Severity: High CVSSv3 Overall Score: 8.8 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by 123ojp (bugcrowd.com/123ojp) via HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Remote Command Execution in ArubaOS Web-based Management Interface (CVE-2023-35972) --------------------------------------------------------------------- An authenticated remote command injection vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS. Internal references: ATLWL-239 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: Block access to the ArubaOS web-based management interface from all untrusted users. Authenticated Remote Command Execution in the ArubaOS Command Line Interface (CVE-2023-35973, CVE-2023-35974) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-333, ATLWL-334 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Path Traversal in ArubaOS Command Line Interface Allows for Arbitrary File Deletion. (CVE-2023-35975) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability results in the ability to delete arbitrary files in the underlying operating system. Internal References: ATLWL-335 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's Bug Bounty Program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Authenticated Sensitive Information Disclosure in ArubaOS Command Line Interface (CVE-2023-35976, CVE-2023-35977) --------------------------------------------------------------------- Vulnerabilities exist which allow an authenticated attacker to access sensitive information on the ArubaOS command line interface. Successful exploitation could allow access to data beyond what is authorized by the users existing privilege level. Internal Reference: ATLWL-336, ATLWL-337 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Discovery: These vulnerabilities were discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's Bug Bounty Program. Workaround: Block access to the ArubaOS command line interface from all untrusted users. Reflected Cross-Site Scripting (XSS) in ArubaOS Web-based Management Interface (CVE-2023-35978) --------------------------------------------------------------------- A vulnerability in ArubaOS could allow an unauthenticated remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based management interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal Reference: ATLWL-340 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by haidv35 from Viettel Cyber Security via HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, Aruba recommends that the web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Unauthenticated Buffer Overflow Vulnerability in ArubaOS Web-Based Management Interface (CVE-2023-35979) --------------------------------------------------------------------- There is an unauthenticated buffer overflow vulnerability in the process controlling the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in a Denial-of-Service (DoS) condition affecting the web-based management interface of the controller. Internal References: ATLWL-332 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by the technical staff at Northwestern University. Workaround: Block access to the ArubaOS web-based management interface from all untrusted users. Resolution ========== Upgrade Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section: - ArubaOS 10.4.x.x: 10.4.0.2 and above - ArubaOS 8.11.x.x: 8.11.1.1 and above - ArubaOS 8.10.x.x: 8.10.0.7 and above - ArubaOS 8.6.x.x: 8.6.0.21 and above HPE Aruba Networking does not evaluate or patch ArubaOS branches that have reached their End of Support (EoS) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Vulnerability specific workarounds are listed per vulnerability above. Contact HPE Services - Aruba Networking for any configuration assistance. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code that targets these specific vulnerabilities as of the publishing date of this advisory. Revision History ================ Revision 1 / 2023-Jul-11 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmSklE0XHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtllZAf+P9qb2t2OFHfLRM1SY3m5dAu9 Ph2bN5qewlDQpg1I44gZtL4ta43ckFdn3KajoGepEkVUVzgZxK8h3Bz5MHjAd2gS /mbwsvhE/ebZU7l9VMYRp/1TxiwZMxt07uWQFufoGyRyMjgJufaB5BEzpyd2kCPH WiQEQszeJLjFBVZ1J9O3N33p8lhC5NKLJP5MdniZxrNGydb6CHapP+YdZHag3zY9 F3ilgE0XhhB5wu3kTePuR6qTkXPWVm+foQ9RQqrTrd+QNi1JuhR3LKKUd4iv3d5M 5C1abXXi/a2Ns7shf1HNWumSuqMSNgLS6BD5ZwNrqCSnkDVzYZRRBl8kB5IU0A== =zESd -----END PGP SIGNATURE-----