-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2024-002 CVE: CVE-2024-1356, CVE-2024-25611, CVE-2024-25612, CVE-2024-25613, CVE-2024-25614, CVE-2024-25615, CVE-2024-25616 Publication Date: 2024-Mar-05 Status: Confirmed Severity: High Revision: 1 Title ===== ArubaOS Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released patches for ArubaOS that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Mobility Conductor (formerly Mobility Master) - Mobility Controllers - WLAN Gateways and SD-WAN Gateways managed by Aruba Central Affected Software Versions: - ArubaOS 10.5.x.x: 10.5.0.1 and below - ArubaOS 10.4.x.x: 10.4.0.3 and below - ArubaOS 8.11.x.x: 8.11.2.0 and below - ArubaOS 8.10.x.x: 8.10.0.9 and below The following ArubaOS and SD-WAN software versions that are End of Maintenance are affected by these vulnerabilities and are not patched by this advisory: - ArubaOS 10.3.x.x: all - ArubaOS 8.9.x.x: all - ArubaOS 8.8.x.x: all - ArubaOS 8.7.x.x: all - ArubaOS 8.6.x.x: all - ArubaOS 6.5.4.x: all - SD-WAN 8.7.0.0-2.3.0.x: all - SD-WAN 8.6.0.4-2.2.x.x: all Details ======= Authenticated Remote Command Execution in the ArubaOS Command Line Interface (CVE-2024-1356, CVE-2024-25611, CVE-2024-25612, CVE-2024-25613) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-357, ATLWL-358, ATLWL-360, ATLWL-430, ATLWL-431, ATLWL-432 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Arbitrary File Deletion in ArubaOS CLI (CVE-2024-25614) -------------------------------------------------------------- There is an arbitrary file deletion vulnerability in the CLI used by ArubaOS. Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to denial-of-service conditions and impact the integrity of the controller. Internal References: ATLWL-359 Severity: Medium CVSSv3 Overall Score: 5.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the Spectrum Service Accessed via the PAPI Protocol (CVE-2024-25615) --------------------------------------------------------------------- An unauthenticated Denial-of-Service (DoS) vulnerability exists in the Spectrum service accessed via the PAPI protocol in ArubaOS 8.x. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected service. Internal Reference: ATLWL-401 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability. Please contact HPE Services - Aruba Networking TAC for any configuration assistance. ArubaOS Sensitive Information Disclosure (CVE-2024-25616) --------------------------------------------------------------------- Aruba has identified certain configurations of ArubaOS that can lead to partial disclosure of sensitive information in the IKE_AUTH negotiation process. The scenarios in which disclosure of potentially sensitive information can occur are complex, and depend on factors beyond the control of attackers. Internal Reference: ATLWL-350 Severity: Low CVSSv3 Overall Score: 3.7 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Discovery: This vulnerability was discovered by Aruba Engineering. Workaround: None Resolution ========== Upgrade Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section: - ArubaOS 10.5.x.x: 10.5.1.0 and above - ArubaOS 10.4.x.x: 10.4.1.0 and above - ArubaOS 8.11.x.x: 8.11.2.1 and above - ArubaOS 8.10.x.x: 8.10.0.10 and above HPE Aruba Networking does not evaluate or patch ArubaOS branches that have reached their End of Maintenance (EoM) milestone. For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. Contact HPE Services - Aruba Networking for any configuration assistance. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2024-Mar-05 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmXFN7IXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtkaGQf/RoHlrsENiLW84q5/23Bq7y83 llUnmNpUVtS0QhrEEqHAZWb9HvSgNI67vwZkvbfts/MRcfMyr4qoAUUSAf3+M74L eiVjNC66jJXeHbZtPsUUPyrtnqqHxbHPJF99wATIJhVH5QtdBAFpwAnbq8oI6S3u 7NG1UPTC8+CwojiFXV5O53DfjB+Iv0NshSofa15+CBontD/mXOkSeb9NbCCyXo1U I3xs9JrAJXDQYfTSHKF1I0fhRF2dvwW3CxD5Oy6/coD1gpxgvrWLKmpowIjFyWVA B8JVgDYpKDgxkINrUj28wEzvA/YXcZOgFmEqTblzSbAALZRlandu2mheznrXaQ== =ZqcH -----END PGP SIGNATURE-----