-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory ============================================== Advisory ID: ARUBA-PSA-2023-012 CVE: CVE-2023-37421, CVE-2023-37422, CVE-2023-37423, CVE-2023-37424, CVE-2023-37425, CVE-2023-37426, CVE-2023-37427, CVE-2023-37428, CVE-2023-37429, CVE-2023-37430, CVE-2023-37431, CVE-2023-37432, CVE-2023-37433, CVE-2023-37434, CVE-2023-37435, CVE-2023-37436, CVE-2023-37437, CVE-2023-37438, CVE-2023-37439, CVE-2023-37440 Publication Date: 2023-Aug-22 Last Update: 2023-Oct-03 Status: Confirmed Severity: High Revision: 2 Title ===== Multiple Vulnerabilities in EdgeConnect SD-WAN Orchestrator Overview ======== HPE Aruba Networking has released patches for EdgeConnect SD-WAN Orchestrator that address multiple security vulnerabilities. Affected Products ================= - EdgeConnect SD-WAN Orchestrator (self-hosted, on-premises) - EdgeConnect SD-WAN Orchestrator (self-hosted, public cloud IaaS) - EdgeConnect SD-WAN Orchestrator-as-a-Service - EdgeConnect SD-WAN Orchestrator-SP Tenant Orchestrators - EdgeConnect SD-WAN Orchestrator Global Enterprise Tenant Orchestrators. - Orchestrator 9.3.x: Orchestrator 9.3.0 (all builds) and below - Orchestrator 9.2.x: Orchestrator 9.2.5 (all builds) and below - Orchestrator 9.1.x: Orchestrator 9.1.7 (all builds) and below - Orchestrator 9.0.x: All versions - Any older branches of Orchestrator not specifically mentioned Please note that specific vulnerabilities listed below were not able to be patched in all supported software versions. See the Resolution section at the end of this document for further detail. Versions of EdgeConnect SD-WAN Orchestrator that are End of Maintenance (EoM) are affected by these vulnerabilities unless otherwise indicated. Unaffected Products =================== Any other HPE Aruba Networking products not specifically listed above are not affected by these vulnerabilities. Details ======= Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface (CVE-2023-37421, CVE-2023-37422, CVE-2023-37423) --------------------------------------------------------------------- Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLSP-67, ATLSP-80, ATLSP-95, ATLSP-96 Severity: High CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API keys. Unauthenticated Remote Code Execution in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface (CVE-2023-37424) --------------------------------------------------------------------- A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host if certain preconditions outside of the attacker's control are met. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. Internal References: ATLSP-84 Severity: High CVSSv3.x Overall Score: 8.1 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program Workaround: Applying the settings documented in the following security bulletin prevents the remote code execution vulnerability detailed here: - https://www.arubanetworks.com/website/techdocs/sdwan-PDFs/docs/advisories/ec_adv_sec_settings_latest.pdf Unauthenticated Stored Cross-Site Scripting Vulnerability (XSS) in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface (CVE-2023-37425) --------------------------------------------------------------------- A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLSP-83 Severity: High CVSSv3.x Overall Score: 8.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API keys. Shared SSH Static Host Keys in EdgeConnect SD-WAN Orchestrator (CVE-2023-37426) --------------------------------------------------------------------- Self-hosted EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared static SSH host keys for all installations. This vulnerability could allow an attacker to spoof the SSH host signature and thereby masquerade as a legitimate Orchestrator host. Orchestrator-as-a-Service (OaaS) instances are not affected by this vulnerability. Internal References: ATLSP-63 Severity: High CVSSv3 Overall Score: 7.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Dean Freeman and Carmody Rauch Workaround: Affected versions of self-hosted EdgeConnect SD-WAN Orchestrator will regenerate their SSH host keys after upgrading to a resolved version. Customers who wish to manually regenerate their SSH host keys may do so by logging into the administrative command line on their Orchestrator Instances and removing the older SSH host keys with the command `rm -f /etc/ssh/ssh_host*` and then restarting the sshd daemon with the command `systemctl restart sshd `. Authenticated Remote Code Execution in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface (CVE-2023-37427) --------------------------------------------------------------------- A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLSP-76 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: This is an authenticated vulnerability that requires administrative access to the EdgeConnect SD-WAN Orchestrator web-based management interface in order to be exploited. To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the web-based management interface be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above with administrative access strictly controlled and monitored. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API Keys. Authenticated Remote Code Execution via Path Traversal in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface (CVE-2023-37428) --------------------------------------------------------------------- A vulnerability in the EdgeConnect SD-WAN Orchestrator web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLSP-81 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: This is an authenticated vulnerability that require administrative access to the EdgeConnect SD-WAN Orchestrator web-based management interface in order to be exploited. To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the web-based management interface be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above with administrative access strictly controlled and monitored. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API Keys. Authenticated SQL Injection Vulnerabilities in EdgeConnect SD-WAN Orchestrator Web-based Management Interface (CVE-2023-37429, CVE-2023-37430, CVE-2023-37431, CVE-2023-37432, CVE-2023-37433, CVE-2023-37434, CVE-2023-37435, CVE-2023-37436, CVE-2023-37437, CVE-2023-37438) --------------------------------------------------------------------- Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host. Internal References: ATLSP-66, ATLSP-68, ATLSP-69, ATLSP-70, ATLSP-71, ATLSP-72, ATLSP-73, ATLSP-74, ATLSP-85, ATLSP-86 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Resolution: Please note that due to the structure of these specific vulnerabilities HPE Aruba Networking has patched them only in the following branch and version of Orchestrator: - Orchestrator 9.3.x: Orchestrator 9.3.1 (all builds) and above Older branches and branches not specifically named are not patched. Customers unable to upgrade should consult the workaround section Workaround: These are authenticated vulnerabilities that require administrative access to the EdgeConnect SD-WAN Orchestrator web-based management interface in order to be exploited. To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the web-based management interface be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above with administrative access strictly controlled and monitored. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API Keys. Reflected Cross Site Scripting in EdgeConnect SD-WAN Orchestrator Web Management Interface (CVE-2023-37439) --------------------------------------------------------------------- A vulnerability within the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLSP-82 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Resolution: HPE Aruba Networking has patched this particular vulnerability in the following branches and versions of Orchestrator: - Orchestrator 9.3.x: Orchestrator 9.3.0 (all builds) and above - Orchestrator 9.2.x: Orchestrator 9.2.3 (all builds) and above - Orchestrator 9.1.x: Orchestrator 9.1.6 (all builds) and above Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API Keys. Authenticated Server-Side Request Forgery (SSRF) Leading to Information Disclosure (CVE-2023-37440) --------------------------------------------------------------------- A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated remote attacker to conduct a server-side request forgery (SSRF) attack. A successful exploit allows an attacker to enumerate information about the internal structure of the EdgeConnect SD-WAN Orchestrator host leading to potential disclosure of sensitive information. Internal Reference: ATLSP-75 Severity: Medium CVSSv3.x Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Resolution: Please note that due to the structure of these specific vulnerabilities HPE Aruba Networking has patched them only in the following branch and version of Orchestrator: - Orchestrator 9.3.x: Orchestrator 9.3.1 (all builds) and above Older branches and branches not specifically named are not patched. Customers unable to upgrade should consult the workaround section Workaround: This is an authenticated vulnerability that require administrative access to the EdgeConnect SD-WAN Orchestrator web-based management interface in order to be exploited. To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the web-based management interface be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above with administrative access strictly controlled and monitored. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API Keys. Resolution ========== PLEASE NOTE - To fully patch the vulnerabilities disclosed above, Including lower severity authenticated vulnerabilities that require existing administrative access, customers must upgrade to the following branch and version: - Orchestrator 9.3.x: Orchestrator 9.3.1 (all builds) and above (expected to be available end of September 2023) For those who choose to implement workarounds and other security controls documented in the details sections above, all vulnerabilities with a CVSS score of 7.0 and above are addressed by upgrading to the following branches and versions of EdgeConnect SD-WAN Orchestrator: - EdgeConnect SD-WAN Orchestrator (self-hosted, on-premises) - EdgeConnect SD-WAN Orchestrator (self-hosted, public cloud IaaS) - EdgeConnect SD-WAN Orchestrator-as-a-Service - EdgeConnect SD-WAN Orchestrator-SP Tenant Orchestrators - EdgeConnect SD-WAN Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.3.x: Orchestrator 9.3.1 (all builds) and above (expected to be available end of September 2023) - Orchestrator 9.2.x: Orchestrator 9.2.6 (all builds) and above - Orchestrator 9.1.x: Orchestrator 9.1.8 (all builds) and above - EdgeConnect SD-WAN Orchestrator-SP Tenant Orchestrators - Service providers must upgrade all tenants to a patched version listed above. HPE Aruba Networking does not evaluate or patch product branches that have reached their End of Maintenance (EoM) milestone. Supported branches as of the publication date of this advisory are: - EdgeConnect SD-WAN Orchestrator 9.3.x - EdgeConnect SD-WAN Orchestrator 9.2.x - EdgeConnect SD-WAN Orchestrator 9.1.x For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API keys. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2023-Aug-22 / Initial release Revision 2 / 2023-Oct-03 / Updated workaround sections with additional information. Updated details sections. Changed 9.3.1 release date. Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmULGlsXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtmEYwf/VE6sVg7ZztC1UjL6W9+L+jFa 9S94VnJvMb4mRxD7sC2kgMiH/Ltig54qq+HT5z/H55BHbosoutv0aOk7YCvK0g9o 1JY/45GtjadZxngaOAVCntZnRaPKigGUfGRm89NrxQMjQN6YnOGzdkzissKMnR/S crZGOvEWg/Q/4tSS8wjuEbUF4vTkBL8BAVViArhDy98FIZkV1n4e2FWWI28ciAB8 EJ/EaG/B6FzOqxVXJxwZJKjQIXPrPPu7l+z8meALfwZThSg8Vrk7stmMtEizfryn iv9Vp+ZsWpONmWzq//gQ+I5p4mYRQ8bulntit2f358+B1syDMTvHf+w07vtL2A== =0xyL -----END PGP SIGNATURE-----