-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2024-004 CVE: CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, CVE-2024-33512, CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, CVE-2024-33517, CVE-2024-33518 Publication Date: 2024-Apr-30 Last Updated: 2024-May-21 Status: Confirmed Severity: Critical Revision: 2 Title ===== ArubaOS Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released patches for ArubaOS that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Mobility Conductor (formerly Mobility Master) - Mobility Controllers - WLAN Gateways and SD-WAN Gateways managed by Aruba Central Affected Software Versions: - ArubaOS 10.5.x.x: 10.5.1.0 and below - ArubaOS 10.4.x.x: 10.4.1.0 and below - ArubaOS 8.11.x.x: 8.11.2.1 and below - ArubaOS 8.10.x.x: 8.10.0.10 and below The following ArubaOS and SD-WAN software versions that are End of Maintenance are affected by these vulnerabilities and are not patched by this advisory: - ArubaOS 10.3.x.x: all - ArubaOS 8.9.x.x: all - ArubaOS 8.8.x.x: all - ArubaOS 8.7.x.x: all - ArubaOS 8.6.x.x: all - ArubaOS 6.5.4.x: all - SD-WAN 8.7.0.0-2.3.0.x: all - SD-WAN 8.6.0.4-2.2.x.x: all Please note that as of the publication of this Revision-2 of advisory, the following ArubaOS versions are also now End of Maintenance and Support. - ArubaOS 10.5.x.x: all - ArubaOS 8.11.x.x: all Customers should plan to upgrade to one of the supported software branches as applicable. Details ======= Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol (CVE-2024-26305) --------------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-446 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability in ArubaOS 8.x. For ArubaOS 10.x this issue does not apply. Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol (CVE-2024-26304) --------------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-445 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability in ArubaOS 8.x. For ArubaOS 10.x this issue does not apply. Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol (CVE-2024-33511) --------------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-441 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability in ArubaOS 8.x. For ArubaOS 10.x this issue does not apply. Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol (CVE-2024-33512) --------------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying Local User Authentication Database service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-444 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability in ArubaOS 8.x. For ArubaOS 10.x this issue does not apply. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the AP Management Service Accessed via the PAPI Protocol (CVE-2024-33513, CVE-2024-33514, CVE-2024-33515) --------------------------------------------------------------------- Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the AP Management service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities results in the ability to interrupt the normal operation of the affected service. Internal Reference: ATLWL-438, ATLWL-458, ATLWL-460 Severity: Medium CVSSv3 Overall Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: These vulnerabilities were discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability in ArubaOS 8.x. For ArubaOS 10.x gateways the PAPI port is not exposed, and likelihood of exploitation is minimal. Out of precaution the vulnerabilities have been patched in the 10.x versions indicated in the resolution section and customers are advised to apply a fixed version during their patch cycles. Unauthenticated Denial-of-Service (DoS) Vulnerability in Auth Service Accessed via the PAPI Protocol (CVE-2024-33516) --------------------------------------------------------------------- An unauthenticated Denial of Service (DoS) vulnerability exists in the Auth service accessed via the PAPI protocol provided by ArubaOS. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the controller. Internal Reference: ATLWL-424 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability in ArubaOS 8.x. For ArubaOS 10.x this issue does not apply. Unauthenticated Denial-of-Service (DoS) Vulnerability in the Radio Frequency Manager Service Accessed via the PAPI Protocol (CVE-2024-33517) --------------------------------------------------------------------- An unauthenticated Denial-of-Service (DoS) vulnerability exists in the Radio Frequency Manager service accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected service. Internal Reference: ATLWL-459 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability in ArubaOS 8.x. For ArubaOS 10.x this issue does not apply. Unauthenticated Buffer Overflow Vulnerability in the Radio Frequency Daemon Accessed via the PAPI Protocol (CVE-2024-33518) --------------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying Radio Frequency daemon accessed via the PAPI protocol provided by ArubaOS. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the controller. Internal Reference: ATLWL-466 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enabling the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability in ArubaOS 8.x. For ArubaOS 10.x, this issue does not apply. Resolution ========== Upgrade Mobility Controllers, Mobility Conductors and Gateways to one of the following ArubaOS versions (as applicable) to resolve all the vulnerabilities described in the details section: - ArubaOS 10.6.x.x: 10.6.0.0 and above - ArubaOS 10.5.x.x: 10.5.1.1 and above - ArubaOS 10.4.x.x: 10.4.1.1 and above - ArubaOS 8.12.x.x: 8.12.0.0 and above - ArubaOS 8.11.x.x: 8.11.2.2 and above - ArubaOS 8.10.x.x: 8.10.0.12 and above Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal. https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch ArubaOS branches that have reached their End of Maintenance (EoM) milestone. For Software Release End of Life information, visit: https://networkingsupport.hpe.com/notifications;notificationPageSize=100 ;notificationSortBy=announcementDate;notificationSortDir=desc;notificati onCategory=Software%20Release%20End%20of%20Life; Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. Contact HPE Services - Aruba Networking for any configuration assistance. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2024-Apr-30 / Initial release Revision 2 / 2024-May-21 / Replaced 8.10.0.11 with 8.10.0.12 due to problems with the 8.10.0.11 release, Updated Resolution information, Corrected Severity for CVE-2024-33518, Changed end of life information. HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmZFIWEXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE65J0wwAnF8vJYYqHurX876Xi8ls+zJa 1LI+Ce56mlxAZlaeicMMrPsbTko2ag9c+uUbbJuEvFIH0ylz03BChRvK2suIFgwh XaD9YFJSKsNktg6XiQ7dXssA/3UMjAfCsRQ64oqgurleY7rnGoz+6XyUtv3RO3kD HFKo34wko/jTNMnw5AVaXgaUWo/YYLotmx3BjsGIzSa7IxYKmp8nKOtbm5HgJHrQ 770IMCRealc7YqhcNnY5CqUHmu++DT1Em7JUo2BOE5myCFHth3qy2K6m4YLRfhVV assRvNW8E288P05ilBp5R03bnLyQZG8ReZTjCiQAdkDsl94X3fsljFjFlezvnABT kr5o6o39eRbhqLP3ehM/bPjTQl1gvjYf5h7yEf1mZVJiB/UJnUQ0TgHDFLMBLvZ4 B5oI4ESZi/Q5WCcyljgQz3Ng0Rlo+yk1siyh15511uOm6qTbsVnB6e3NCX/b4dqz lv8OlN2HQQxYxEtJyJ//H06ejQzJWhhUia6Nll65 =zjnH -----END PGP SIGNATURE-----