-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2023-009
CVE: CVE-2022-25667, CVE-2023-35980, CVE-2023-35981,
     CVE-2023-35982
Publication Date: 2023-Jul-25
Status: Confirmed
Severity: Critical
Revision: 1
 
 
Title
=====
Aruba Access Points Multiple Vulnerabilities
 
 
Overview
========
HPE Aruba Networking has released patches for Aruba access points
running InstantOS and ArubaOS 10 that address multiple security
vulnerabilities.
 
 
Affected Products
=================
HPE Aruba Networking
  - Aruba Access Points running InstantOS and ArubaOS 10
 
Affected Software Versions:
  - ArubaOS 10.4.x.x:   10.4.0.1 and below
  - InstantOS 8.11.x.x: 8.11.1.0 and below
  - InstantOS 8.10.x.x: 8.10.0.6 and below
  - InstantOS 8.6.x.x:  8.6.0.20 and below
  - InstantOS 6.5.x.x:  6.5.4.24 and below
  - InstantOS 6.4.x.x:  6.4.4.8-4.2.4.21 and below
 
The following software versions that are End of Support are
affected by these vulnerabilities and are not patched by this
advisory:
 
  -  ArubaOS 10.3.x.x:  all
  -  InstantOS 8.9.x.x: all
  -  InstantOS 8.8.x.x: all
  -  InstantOS 8.7.x.x: all
  -  InstantOS 8.5.x.x: all
  -  InstantOS 8.4.x.x: all
 
Please note that specific vulnerabilities listed below did       
not affect all access point models. Please see the individual    
details sections for more information.                           
 
 
Unaffected Products
===================
Aruba Mobility Conductor, Aruba Mobility Controllers,
Access-Points when managed by Mobility Controllers and Aruba
SD-WAN Gateways are not affected by these vulnerabilities. Aruba
Instant On is also not affected by these vulnerabilities.


Details
=======

  Unauthenticated Buffer Overflow Vulnerabilities in Services
  Accessed by the PAPI Protocol
  (CVE-2023-35980, CVE-2023-35981, CVE-2023-35982)
  --------------------------------------------------------------
    There are buffer overflow vulnerabilities in multiple
    underlying services that could lead to unauthenticated
    remote code execution by sending specially crafted packets
    destined to the PAPI (Aruba's access point management
    protocol) UDP port (8211). Successful exploitation of these
    vulnerabilities result in the ability to execute arbitrary
    code as a privileged user on the underlying operating system.
 
    Internal References: ATLWL-303, ATLWL-328, ATLWL-330
    Severity: Critical
    CVSSv3 Overall Score: 9.8
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 
    Discovery: These vulnerabilities were discovered and reported
    by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba
    Networking's bug bounty program.
 
    Workaround: Enabling cluster-security via the
    cluster-security command will prevent the vulnerabilities
    from being exploited in InstantOS devices running 8.x or
    6.x code. For ArubaOS 10 devices this is not an option
    and instead access to port UDP/8211 must be blocked from
    all untrusted networks. Please contact Aruba Support for
    configuration assistance.


  Information Disclosure in Kernel
  (CVE-2022-25667)
  --------------------------------------------------------------
    There is an information disclosure vulnerability in the
    kernel used by Aruba access points running InstantOS and
    ArubaOS 10.
    
    More information about this vulnerability can be found at 
    https://nvd.nist.gov/vuln/detail/CVE-2022-25667

    This vulnerability only affects the following access point models:
      - 650 Series Access Points
      - 630 Series Access Points
      - 550 Series Access Points
      - 530 Series Access Points
       
    Internal References: ATLWL-339
    Severity: High
    CVSSv3 Overall Score: 7.5
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 
    Discovery: This vulnerability was discovered and reported
    by Xuewei Feng, Ke Xu, & Qi Li (Tsinghua University), Kun
    Sun (George Mason University), and Yuxiang Yang (Tsinghua
    University)
 
    Workaround: No specific workaround. 

 
Resolution
==========
To address the vulnerabilities described above for the affected
release branches, it is recommended to upgrade the software to
the following versions:
 
  - ArubaOS 10.4.x.x:   10.4.0.2 and above
  - InstantOS 8.11.x.x: 8.11.1.1 and above
  - InstantOS 8.10.x.x: 8.10.0.7 and above
  - InstantOS 8.6.x:    8.6.0.21 and above
  - InstantOS 6.5.x:    6.5.4.25 and above
  - InstantOS 6.4.x:    6.4.4.8-4.2.4.22 and above
  
  
HPE Aruba Networking does not evaluate or patch
InstantOS and ArubaOS 10 software branches that have
reached their End of Support (EoS) milestone. For more
information about Aruba's End of Support policy visit:
https://www.arubanetworks.com/support-services/end-of-life/
 
 
Workaround
==========
To minimize the likelihood of an attacker exploiting these
vulnerabilities, HPE Aruba Networking recommends that the CLI
and web-based management interfaces be restricted to a dedicated
layer 2 segment/VLAN and/or controlled by firewall policies at
layer 3 and above.
 
Vulnerability specific workarounds are listed per vulnerability
above. Contact HPE Services - Aruba Networking for any
configuration assistance.
  
 
Exploitation and Public Discussion
==================================
CVE-2022-25667 is being publicly discussed                       
and more information may be found at                             
https://nvd.nist.gov/vuln/detail/CVE-2022-25667                  

HPE Aruba Networking is not aware of any public discussion or
exploit code that target the other vulnerabilities in this
advisory as of the publishing date of the advisory.
 
 
Revision History
================
Revision 1 / 2023-Jul-25 / Initial release
 
 
Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in HPE
Aruba Networking products and obtaining assistance with security
incidents is available at:
 
https://www.arubanetworks.com/support-services/security-bulletins/
 
For reporting *NEW* HPE Aruba Networking security issues, email
can be sent to aruba-sirt(at)hpe.com. For sensitive information
we encourage the use of PGP encryption. Our public keys can be
found at:
 
https://www.arubanetworks.com/support-services/security-bulletins/
 
(c) Copyright 2023 by Hewlett Packard Enterprise Development LP.
This advisory may be redistributed freely after the release date
given at the top of the text, provided that the redistributed
copies are complete and unmodified, including all data and
version information.
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmSlh/UXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtlOCggAgqTbOUs1HhcRT6r9jsfER6Bp
8xpZg+jkLgcuBwlhdCrI9X1gyPyHauZLB3VC0AZ/JzHXR1JHp0RG2E1u7dFy1YVE
QZdg/QS4B6qHhtNsGGvFX2sGkEqZ6FCNHpuQHGQ0Y9ISvnNOy7/SCQKPuIPiB5Di
OzdC6dWtZpFgjLl/Yi+be4lMCVcOrBb9JbEmlTC3rbdK8BX3GXmK63koyuyxhFT6
Phlo9BxkXlUfPR+ENKYH/Apt2p+aem7g3E39AyVEh/Z24jzqifEl2LTMDUWYhwo2
f0gfo85nhXgAnSWZhxIzaE/2lfQ0XipY8JAlW0tvS1oWcHdHZywf1tMGMFSjrw==
=hPoE
-----END PGP SIGNATURE-----