-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-014 CVE: CVE-2023-38484, CVE-2023-38485, CVE-2023-38486 Publication Date: 2023-Sep-06 Status: Confirmed Severity: High Revision: 1 Title ===== Multiple Vulnerabilities in 9200 and 9000 Series Controllers and Gateways running ArubaOS Overview ======== HPE Aruba Networking has released patches for ArubaOS that address multiple security vulnerabilities in 9200 and 9000 Series Controllers and Gateways. Affected Products ================= HPE Aruba Networking - 9200 Series Mobility Controllers and SD-WAN Gateways - 9000 Series Mobility Controllers and SD-WAN Gateways Affected Software Versions: - ArubaOS 10.4.x.x: 10.4.0.1 and below - ArubaOS 8.11.x.x: 8.11.1.0 and below - ArubaOS 8.10.x.x: 8.10.0.6 and below - ArubaOS 8.6.x.x: 8.6.0.21 and below The following ArubaOS and SD-WAN software versions that are End of Support are affected by these vulnerabilities and are not patched by this advisory: - ArubaOS 10.3.x.x: all - ArubaOS 8.9.x.x: all - ArubaOS 8.8.x.x: all - ArubaOS 8.7.x.x: all - ArubaOS 6.5.4.x: all - SD-WAN 8.7.0.0-2.3.0.x: all - SD-WAN 8.6.0.4-2.2.x.x: all Details ======= Multiple Buffer Overflow Vulnerabilities in BIOS Implementation of 9200 and 9000 Series Controllers and Gateways (CVE-2023-38484, CVE-2023-38485) --------------------------------------------------------------------- Vulnerabilities exist in the BIOS implementation of Aruba 9200 and 9000 Series Controllers and Gateways that could allow an attacker to execute arbitrary code early in the boot sequence. An attacker could exploit this vulnerability to gain access to and change underlying sensitive information in the affected controller leading to complete system compromise. Internal References: ATLWL-322, ATLWL-327 Severity: High CVSSv3 Overall Score: 8.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Discovery: These vulnerabilities were discovered by Nicholas Starke of Aruba Threat Labs. Workaround: It is important to note that an attacker must exploit another vulnerability first before the attacker can exploit these vulnerabilities, as these vulnerabilities can only be exploited via a root shell from the local ArubaOS controller. To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Hardware Root of Trust Bypass in 9200 and 9000 Series Controllers and Gateways (CVE-2023-38486) ----------------------------------------------- A vulnerability in the secure boot implementation on affected Aruba 9200 and 9000 Series Controllers and Gateways allows an attacker to bypass security controls which would normally prohibit unsigned kernel images from executing. An attacker can use this vulnerability to execute arbitrary runtime operating systems, including unverified and unsigned OS images. Internal References: ATLWL-347 Severity: High CVSSv3 Overall Score: 7.7 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N Discovery: This vulnerability was discovered by Nicholas Starke of Aruba Threat Labs. Workaround: It is important to note that an attacker must exploit another vulnerability first before the attacker can exploit this vulnerability, as this vulnerability can only be exploited via a root shell from the local ArubaOS controller. To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Resolution ========== Upgrade Mobility Controllers and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section: - ArubaOS 10.4.x.x: 10.4.0.2 and above - ArubaOS 8.11.x.x: 8.11.1.1 and above - ArubaOS 8.10.x.x: 8.10.0.7 and above - ArubaOS 8.6.x.x: 8.6.0.22 and above HPE Aruba Networking does not evaluate or patch ArubaOS branches that have reached their End of Maintenance (EoM) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. Contact HPE Services - Aruba Networking for any configuration assistance. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code that targets these specific vulnerabilities as of the publishing date of this advisory. Revision History ================ Revision 1 / 2023-Sep-06 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmS+ogAXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtm+Rgf8CDqPOZw4Il2i/TYO6amyKMHZ PPU/9/iI3fXCPg7OvdlCXASkNt8X4c3qIKv5OZ91XLQPwRdxRBrEF1aU6KRpZS+Z bSAJZaWgNfnPcC7yxdi2S/ulM0wEypGJeLmFpjDr1Dcxilvms13mofDv28tsaeM0 gsFNWu+pVYr8g5jB9kCxb5dEsgLsHydNgQS6dF3yx7Rdv9dA7xS+2UX0RtK/mFgS Yc3hPCVtH9OmOpLxYA/5WXwYprBPuv73z+qKk/jDfkiP2aOicF23Pd2ni6MC2BZg NzgS2uvMyVQC2Sb7akSjS9M/W3Ts1ArV6McL9EC51VUY+vkaBfb/AWN2dv3wWg== =c1ef -----END PGP SIGNATURE-----