-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory 
===============================        
Advisory ID: ARUBA-PSA-2024-003 
CVE: CVE-2024-26303 
Publication Date: 2024-Mar-26 
Status: Confirmed  
Severity: Medium  
Revision: 1  
  

Title  
=====  
Authenticated Denial of Service Vulnerability in ArubaOS-Switch SSH Daemon 


Overview  
========  
HPE Aruba Networking has released updates for wired switching products
running ArubaOS-Switch that address a vulnerability in the SSH Daemon.
  

Affected Products  
=================         
HPE Aruba Networking Switch Models:    
  - Aruba 5400R Series Switches  
  - Aruba 3810 Series Switches  
  - Aruba 2920 Series Switches  
  - Aruba 2930F Series Switches  
  - Aruba 2930M Series Switches  
  - Aruba 2530 Series Switches 
  - Aruba 2540 Series Switches 
  - Aruba 3800 Series Switches 
 
Software Branch Versions:  
- - ArubaOS-Switch 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0015 and below. 
- - ArubaOS-Switch 16.10.xxxx: KB/WC/YA/YB/YC - All versions. 
- - ArubaOS-Switch 16.10.xxxx: WB.16.10.24 and below. 
- - ArubaOS-Switch 16.09.xxxx: All versions. 
- - ArubaOS-Switch 16.08.xxxx: All versions. 
- - ArubaOS-Switch 16.07.xxxx: All versions. 
- - ArubaOS-Switch 16.06.xxxx: All versions. 
- - ArubaOS-Switch 16.05.xxxx: All versions. 
- - ArubaOS-Switch 16.04.xxxx: KA/RA.16.04.0027 and below. 
- - ArubaOS-Switch 16.03.xxxx: All versions. 
- - ArubaOS-Switch 16.02.xxxx: All versions. 
- - ArubaOS-Switch 16.01.xxxx: All versions. 
- - ArubaOS-Switch 15.xx.xxxx: All versions. 
   

Unaffected Products  
===================  
Any other HPE Aruba Networking products not listed above including  
AOS-CX Switches, Aruba Intelligent Edge Switches, and HPE  
OfficeConnect Switches are not affected by these vulnerabilities.  
  

Details  
=======   
  Authenticated Denial of Service Vulnerability in ArubaOS-Switch 
  SSH Daemon 
  (CVE-2024-26303) 
  --------------------------------------------------------------------- 
    A vulnerability exists in the SSH daemon in AOS-S switches. The
    vulnerability requires a specially crafted request sent to the
    device to be exploitable. Successful exploitation results in a
    Denial-of-Service (DoS) condition.

    Internal reference: APVOS-20 
    Severity: Medium 
    CVSSv3 Overall Score: 4.9 
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H 
    Discovery: This vulnerability was discovered by Adrian Weiss 
 
    Workaround: To minimize the likelihood of an attacker exploiting      
    these vulnerabilities, HPE Aruba Networking recommends that the CLI   
    and web-based management interfaces be restricted to a dedicated      
    layer 2 segment/VLAN and/or controlled by firewall policies at layer  
    3 and above.                                                          
  

Resolution  
==========  
To address the vulnerabilities described above for the    
affected release branches, it is recommended to upgrade the software   
to the following versions:  

- - ArubaOS-Switch 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0016 and above. 
- - ArubaOS-Switch 16.10.xxxx: WB.16.10.0025 and above. 
- - ArubaOS-Switch 16.04.xxxx: KA/RA.16.04.0028 and above. 
 
Note: 16.10.xxxx:KB/WC/YA/YB/YC will not receive fixes for these
vulnerabilities. Upgrading to KB/WC/YA/YB/YC.16.11.0016 and above will
address these vulnerabilities.

The software versions listed in the Resolution section are the supported
branches as of the publication date of this advisory.


Workaround  
==========  
Vulnerability specific workaround is listed    
above. Contact HPE Services - Aruba Networking for any configuration     
assistance. 

  
ArubaOS-Switch Hardening Guide 
===================== 
For general information on hardening ArubaOS-Switch                     
devices against security threats, please see the                        
ArubaOS-Switch Access Security Guide available at:                      
https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us    
 
 
Exploitation and Public Discussion   
==================================  
HPE Aruba Networking is not aware of any public discussion or 
exploit code targeting these specific vulnerabilities as of the 
release date of the advisory. 


Revision History  
================  
Revision 1 / 2024-Mar-26 / Initial release  

  
HPE Aruba Networking SIRT Security Procedures 
============================== 
Complete information on reporting security vulnerabilities in HPE 
Aruba Networking products and obtaining assistance with security 
incidents is available at: 

https://www.arubanetworks.com/support-services/security-bulletins/ 

For reporting *NEW* HPE Aruba Networking security issues, email 
can be sent to aruba-sirt(at)hpe.com. For sensitive information 
we encourage the use of PGP encryption. Our public keys can be 
found at: 

https://www.arubanetworks.com/support-services/security-bulletins/ 

(c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This   
advisory may be redistributed freely after the release date given       
at the top of the text, provided that the redistributed copies are      
complete and unmodified, including all data and version information.    
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmX7QbEXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtn7gggAmIwOAdeaL2IfIq7QoXw5XvxA
G3fVYWWRXCP2JBUSXU2mlWZCIXKirYBdXEStPj9TscXKRhLmByyJE4m7RS2tJEt6
SGy9/QYKW30uFBSGoEF1pC4wKm3cAIdccps9vNIAvw0nAOMe0SluX+JjEReUd8VE
PbA4FVQkA360ayslVlliWKGQTr7H4xFPsu81vlWeVPX0nI6sorwCbXo9iwEC5sXk
IxDti3K8jnL10Mg/ytgKfYlmjlpUZeAwcGiNFNZ0mjobvEUqNXdyrMgW2jqQx+gK
j4P3vE7Aa7tmyjy4VVuvoAnfHGAchlksgEufMX6VSfIWL7UWGz6trcn1zRojeg==
=mRAi
-----END PGP SIGNATURE-----