-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2023-013
CVE: CVE-2023-39266, CVE-2023-39267, CVE-2023-39268
Publication Date: 2023-Aug-29
Status: Confirmed
Severity: High
Revision: 1


Title
=====
ArubaOS-Switch Switches Multiple Vulnerabilities


Overview
========
HPE Aruba Networking has released updates for wired switching
products running ArubaOS-Switch that address multiple security
vulnerabilities.


Affected Products
=================
HPE Aruba Networking Switch Models:
  - Aruba 5400R Series Switches
  - Aruba 3810 Series Switches
  - Aruba 2920 Series Switches
  - Aruba 2930F Series Switches
  - Aruba 2930M Series Switches
  - Aruba 2530 Series Switches
  - Aruba 2540 Series Switches

Software Branch Versions:
  - ArubaOS-Switch 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0012 and below.
  - ArubaOS-Switch 16.10.xxxx: KB/WC/YA/YB/YC.16.10.0025 and below.
  - ArubaOS-Switch 16.10.xxxx: WB.16.10.23 and below.
  - ArubaOS-Switch 16.09.xxxx: All versions.
  - ArubaOS-Switch 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0026 and below.
  - ArubaOS-Switch 16.07.xxxx: All versions.
  - ArubaOS-Switch 16.06.xxxx: All versions.
  - ArubaOS-Switch 16.05.xxxx: All versions.
  - ArubaOS-Switch 16.04.xxxx: KA/RA.16.04.0026 and below.
  - ArubaOS-Switch 16.03.xxxx: All versions.
  - ArubaOS-Switch 16.02.xxxx: All versions.
  - ArubaOS-Switch 16.01.xxxx: All versions.
  - ArubaOS-Switch 15.xx.xxxx: 15.16.0025 and below.


Unaffected Products
===================
Any other HPE Aruba Networking products not listed above
including AOS-CX Switches, Aruba Intelligent Edge Switches,
and HPE OfficeConnect Switches are not affected by these
vulnerabilities.


Details
=======

  Unauthenticated Stored Cross-Site Scripting in ArubaOS-Switch
  (CVE-2023-39266)
  ---------------------------------------------------------------------
    A vulnerability in the ArubaOS-Switch web management
    interface could allow an unauthenticated remote attacker to
    conduct a stored cross-site scripting (XSS) attack against a
    user of the interface provided certain configuration options
    are present. A successful exploit could allow an attacker to
    execute arbitrary script code in a victim's browser in the
    context of the affected interface.

    Internal Reference: APVOS-13
    Severity: High
    CVSSv3 Overall Score: 8.3
    CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

    Discovery: This vulnerability was discovered and reported by
    Ken Pyle - Partner and Exploit Developer, CYBIR and Graduate
    Professor of Cybersecurity at Chestnut Hill College

    Workaround: With configuration changes, such as setting an
    operator password on the switch and enforcing the use of
    HTTPS prevents this attack. Please see the ArubaOS-Switch
    hardening guide at 
    https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us 
    for details. Additionally, disabling the web management
    interface prevents this attack. Contact HPE Services - Aruba
    Networking TAC for any configuration Assistance.


  Authenticated Denial of Service Vulnerability in ArubaOS-Switch
  Command Line Interface
  (CVE-2023-39267)
  ---------------------------------------------------------------------
    An authenticated remote code execution vulnerability exists
    in the command line interface in ArubaOS-Switch. Successful
    exploitation results in a Denial-of-Service (DoS) condition
    in the switch.

    Internal reference: APVOS-18
    Severity: Medium
    CVSSv3 Overall Score: 6.6
    CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:L

    Discovery: This vulnerability was discovered by Lino Mirgeler
    of DTS Systeme GmbH


  Memory Corruption Vulnerability in ArubaOS-Switch
  (CVE-2023-39268)
  --------------------------------------------------------------
    A memory corruption vulnerability in ArubaOS-Switch could
    lead to unauthenticated remote code execution by receiving
    specially crafted packets. Successful exploitation of this
    vulnerability results in the ability to execute arbitrary
    code as a privileged user on the underlying operating system.

    Internal References: APVOS-17
    Severity: Medium
    CVSSv3 Overall Score: 4.5
    CVSS Vector: CVSSv3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H

    Discovery: This vulnerability was discovered and reported by
    Ken Pyle - Partner and Exploit Developer, CYBIR and Graduate
    Professor of Cybersecurity at Chestnut Hill College.


Resolution
==========
To address the vulnerabilities described above for the affected
release branches, it is recommended to upgrade the software to
the following versions:

- - - ArubaOS-Switch 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0013 and above.
- - - ArubaOS-Switch 16.10.xxxx: WB.16.10.0024 and above.
- - - ArubaOS-Switch 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0027 and above.
- - - ArubaOS-Switch 16.04.xxxx: KA/RA.16.04.0027 and above.
- - - ArubaOS-Switch 15.xx.xxxx: A.15.16.0026 and above.

Note: 16.10.xxxx:KB/WC/YA/YB/YC will not receive fixes for these
vulnerabilities. Upgrading to KB/WC/YA/YB/YC.16.11.0013 and above
will address these vulnerabilities.

The software versions listed in the Resolution section are the
supported branches as of the publication date of this advisory.


Workaround
==========
To minimize the likelihood of an attacker exploiting these
vulnerabilities, HPE Aruba Networking recommends that the CLI
and web-based management interfaces be restricted to a dedicated
layer 2 segment/VLAN and/or controlled by firewall policies at
layer 3 and above.

Contact HPE Services - Aruba Networking TAC for any configuration
assistance.


ArubaOS-Switch Hardening Guide
=====================
For general information on hardening ArubaOS-Switch devices
against security threats please see the ArubaOS-Switch Access
Security Guide available at
https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us


Exploitation and Public Discussion
==================================
CVE-2023-39266 has been publicly disclosed.
More information can be found at:
https://cybir.com/2022/cve/layer7mattersatlayer2-coolhandluke/

HPE Aruba Networking is not aware of any public discussion or
exploit code that target the other vulnerabilities in this
advisory as of the publishing date of the advisory.


Revision History
================
Revision 1 / 2023-Aug-29 / Initial release


HPE Aruba Networking SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in HPE
Aruba Networking products and obtaining assistance with security
incidents is available at:

https://www.arubanetworks.com/support-services/security-bulletins/

For reporting *NEW* HPE Aruba Networking security issues, email
can be sent to aruba-sirt(at)hpe.com. For sensitive information
we encourage the use of PGP encryption. Our public keys can be
found at:

https://www.arubanetworks.com/support-services/security-bulletins/

(c) Copyright 2023 by Hewlett Packard Enterprise Development LP.
This advisory may be redistributed freely after the release date
given at the top of the text, provided that the redistributed
copies are complete and unmodified, including all data and
version information.
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmTjiz8XHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtlysgf9FpRHCX5mx1NO0S4Hm2gt1TK/
r/KBtzgrG1kbV58Ry+LynLSHQxyMWI6eVkZUq7zh7olJgyYkYrD7koDNh8JklCUg
K/DcIWi32/67vgUqr7jArum/AD+TQ4Yl26p/xAXfuph4bmoCwaBp9Im4R9PkVUfF
nAHD31zT8tIi+fbDoyH3eujXDzo2Dl+p1buVhTZQ4qO7Jkz1XMD85SaiOurLZWmv
WH7rpR+fVwh9VE0aLHbIjntTDgYaacLzz7oD22onHUWMCFIGrFLTJmFrqlhqKx0w
3LYxQ60tpBTYx8G8INXyI7i4OTQHJx9RxA26FUqIFkZVelen4P5dUkV3cvI9YA==
=6ruD
-----END PGP SIGNATURE-----