-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-017 CVE: CVE-2023-45614, CVE-2023-45615, CVE-2023-45616, CVE-2023-45617, CVE-2023-45618, CVE-2023-45619, CVE-2023-45620, CVE-2023-45621, CVE-2023-45622, CVE-2023-45623, CVE-2023-45624, CVE-2023-45625, CVE-2023-45626, CVE-2023-45627 Publication Date: 2023-Nov-14 Status: Confirmed Severity: Critical Revision: 1 Title ===== Aruba Access Points Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released patches for Aruba access points running InstantOS and ArubaOS 10 that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Aruba access points running InstantOS and ArubaOS 10 Affected Software Versions: - ArubaOS 10.5.x.x: 10.5.0.0 and below - ArubaOS 10.4.x.x: 10.4.0.2 and below - InstantOS 8.11.x.x: 8.11.1.2 and below - InstantOS 8.10.x.x: 8.10.0.8 and below - InstantOS 8.6.x.x: 8.6.0.22 and below The following software versions that are End of Maintenance are affected by these vulnerabilities and are not addressed by this advisory: - ArubaOS 10.3.x.x: all - InstantOS 8.9.x.x: all - InstantOS 8.8.x.x: all - InstantOS 8.7.x.x: all - InstantOS 8.5.x.x: all - InstantOS 8.4.x.x: all - InstantOS 6.5.x.x: all - InstantOS 6.4.x.x: all Unaffected Products =================== Aruba Mobility Conductor, Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways are not affected by these vulnerabilities. Aruba Instant On is also not affected by these vulnerabilities. Details ======= Unauthenticated Buffer Overflow Vulnerabilities in CLI Service Accessed by the PAPI Protocol (CVE-2023-45614, CVE-2023-45615) -------------------------------------------------------------- There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-361, ATLWL-362, ATLWL-363, ATLWL-364, ATLWL-365, ATLWL-366, ATLWL-367, ATLWL-368, ATLWL-375, ATLWL-376, ATLWL-377, ATLWL-378, ATLWL-379, ATLWL-390, ATLWL-396, ATLWL-397, ATLWL-400 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter and Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Buffer Overflow Vulnerability in AirWave Client Service Accessed by the PAPI Protocol (CVE-2023-45616) -------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying AirWave client service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-382 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Arbitrary File Deletion in CLI Service Accessed by the PAPI Protocol (CVE-2023-45617) -------------------------------------------------------------- There are arbitrary file deletion vulnerabilities in the CLI service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. Internal References: ATLWL-370, ATLWL-371, ATLWL-372, ATLWL-374, ATLWL-392, ATLWL-393, ATLWL-394, ATLWL-395 Severity: High CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Arbitrary File Deletion in AirWave Client Service Accessed by the PAPI Protocol (CVE-2023-45618) -------------------------------------------------------------- There are arbitrary file deletion vulnerabilities in the AirWave client service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. Internal References: ATLWL-369, ATLWL-373 Severity: High CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Arbitrary File Deletion in RSSI Service Accessed by the PAPI Protocol (CVE-2023-45619) -------------------------------------------------------------- There is an arbitrary file deletion vulnerability in the RSSI service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the access point. Internal References: ATLWL-407 Severity: High CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in CLI Service Accessed via the PAPI Protocol (CVE-2023-45620, CVE-2023-45621) --------------------------------------------------------------------- Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the CLI service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-380, ATLWL-383, ATLWL-385, ATLWL-389, ATLWL-391, ATLWL-398, ATLWL-414 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter and Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in BLE Daemon Service Accessed via the PAPI Protocol (CVE-2023-45622) --------------------------------------------------------------------- Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the BLE daemon service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-387, ATLWL-388 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the Wi-Fi Uplink Service Accessed via the PAPI Protocol (CVE-2023-45623) --------------------------------------------------------------------- Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Wi-Fi Uplink service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-384, ATLWL-386 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: These vulnerabilities were discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Denial-of-Service (DoS) Vulnerability in the Soft AP Daemon Service Accessed via the PAPI Protocol (CVE-2023-45624) --------------------------------------------------------------------- An unauthenticated Denial-of-Service (DoS) vulnerability exists in the soft ap daemon accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-381 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Authenticated Remote Command Execution in Aruba InstantOS or ArubaOS 10 Command Line Interface (CVE-2023-45625) --------------------------------------------------------------------- Multiple authenticated command injection vulnerabilities exist in the command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-402, ATLWL-403, ATLWL-404 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Persistent Authenticated Arbitrary Code Execution across Boot Cycles (CVE-2023-45626) ---------------------------------------------------------------------- An authenticated vulnerability has been identified allowing an attacker to effectively establish highly privileged persistent arbitrary code execution across boot cycles. Internal References: ATLWL-399 Severity: Medium CVSSv3 Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L Discovery: This vulnerability was discovered by Nicholas Starke of Aruba Threat Labs. Workaround: This vulnerability cannot be exploited as part of the normal operation of the device. An attacker must already have full control of the affected device. To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Denial-of-Service (DoS) Vulnerability in CLI Service (CVE-2023-45627) --------------------------------------------------------------------- An authenticated Denial-of-Service (DoS) vulnerability exists in the CLI service. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point. Internal Reference: ATLWL-405 Severity: Medium CVSSv3 Overall Score: 4.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Resolution ========== To address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions: - ArubaOS 10.5.x.x: 10.5.0.1 and above - ArubaOS 10.4.x.x: 10.4.0.3 and above - InstantOS 8.11.x.x: 8.11.2.0 and above - InstantOS 8.10.x.x: 8.10.0.9 and above - InstantOS 8.6.x: 8.6.0.23 and above HPE Aruba Networking does not evaluate or patch InstantOS and ArubaOS 10 software branches that have reached their End of Maintenance (EoM) milestone. For more information about Aruba's End of Maintenance policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. Contact HPE Services - Aruba Networking for any configuration assistance. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2023-Nov-14 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmUukooXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtnPIAgApFF97/C2tY93XIgjonXOuxVE QXugDO5hQpazNrD49si6JnEOUKcn7tZ8OFRpVsw6ARb8zc1OIQsi457b2J/A3MSS k7U/17yCRXbtfCSTKVsPgtIoIu1edGoyTK51AScC1cqdoCKnZBm56nBYyIHNI4pS EguDT1D/VQQpkId5E3iJXGRZ3b2TiTm9xhxqWhXO4dgHTkGLoS+TVYeJgWPU05Wn aKSE0p8FOueYe4UVnsdYNx8eVnt9Zq3dxj3+bTNA0IyLGmaVSc10q6ocAipukQps D0290ZTr4a6Ti6QsHNSrL/MHywGL6h+kknF4zyu5d1cINGa2WswRLMGwqGd7OA== =v+F8 -----END PGP SIGNATURE-----