-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory 
============================================== 
Advisory ID: ARUBA-PSA-2024-005 
CVE: CVE-2023-51385, CVE-2023-48795 
Publication Date: 2024-May-07 
Last Updated: 2024-May-28
Status: Confirmed 
Severity: Medium 
Revision: 2
 
 
Title 
===== 
Multiple OpenSSH Vulnerabilities Impacting AOS-CX Switches  
 
 
Overview 
======== 
HPE Aruba Networking has released updates for wired switch products
running AOS-CX that address security vulnerabilities in OpenSSH.


Affected Products 
=================  
HPE Aruba Networking 
Aruba Switch Models: 
  - Aruba CX 10000 Switch Series 
  - Aruba CX 9300 Switch Series 
  - Aruba CX 8400 Switch Series 
  - Aruba CX 8360 Switch Series 
  - Aruba CX 8325 Switch Series 
  - Aruba CX 8320 Switch Series 
  - Aruba CX 6400 Switch Series 
  - Aruba CX 6300 Switch Series 
  - Aruba CX 6200 Switch Series 
  - Aruba CX 6100 Switch Series 
  - Aruba CX 6000 Switch Series 
  - Aruba CX 4100i Switch Series 

Software Branch Versions: 
  - AOS-CX 10.13.xxxx: 10.13.1005 and below. 
  - AOS-CX 10.12.xxxx: 10.12.1021 and below. 
  - AOS-CX 10.10.xxxx: 10.10.1100 and below. 

HPE Aruba Networking products have been listed as affected based on the
identified OpenSSH library version and the affected cipher being used in
the product.

The following AOS-CX software versions that are End of Maintenance are
affected by these vulnerabilities and are not patched by this advisory:

  - AOS-CX 10.06.xxxx: All branches. 
 
 
Unaffected Products 
=================== 
  - ArubaOS-S Switches                                 
  
 
Details 
======= 

  Authenticated Remote Command Execution in the AOS-CX SSH Daemon
  (CVE-2023-51385)
  ---------------------------------------------------------------------
    In ssh in OpenSSH before 9.6, OS command injection might occur if
    a user name or host name has shell metacharacters, and this name
    is referenced by an expansion token in certain situations. For
    example, an untrusted Git repository can have a submodule with shell
    metacharacters in a user name or host name. The impact of this
    vulnerability on AOS-CX switches has not been confirmed, but the
    version of OpenSSH has been upgraded for mitigation.

    Internal Reference: ATLAX-80
    Severity: Medium
    CVSSv3 Overall Score: 6.5
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

    Reporter: This vulnerability was originally reported by Vinci
    
    Further details can be found at: 
    https://nvd.nist.gov/vuln/detail/CVE-2023-51385
   
    Workaround: None. 


  Terrapin Attack Vulnerability in OpenSSH Impacting AOS-CX Switches                                          
  (CVE-2023-48795) 
  ---------------------------------------------------------------------  
    The SSH transport protocol with certain OpenSSH extensions,         
    found in OpenSSH before 9.6 and other products, allows remote       
    attackers to bypass integrity checks such that some packets are     
    omitted (from the extension negotiation message), and a client and  
    server may consequently end up with a connection for which some     
    security features have been downgraded or disabled, aka a Terrapin  
    attack. This occurs because the SSH Binary Packet Protocol (BPP),   
    implemented by these extensions, mishandles the handshake phase and 
    mishandles use of sequence numbers.                                 
 
    Internal references: ATLAX-77 
    Severity: Medium  
    CVSSv3 Overall Score: 5.9 
    CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 
  
    Discovery: This vulnerability was discovered by Fabian Bäumer,     
    Marcus Brinkmann, and Jörg Schwenk                                 
 
    Further details can be found at: 
    https://nvd.nist.gov/vuln/detail/CVE-2023-48795 
    https://terrapin-attack.com/   
 
    Workaround: Customers who are interested in mitigating the potential
    impact of CVE-2023-48795 may do so by logging into the command
    line interface of their AOS-CX switch, enable the configure
    terminal, and remove the offending ciphers with the commands `ssh
    ciphers aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com
    aes256-gcm@openssh.com` and `ssh macs hmac-sha1 hmac-sha2-256
    hmac-sha2-512`. Please note that if your client does not support
    these algorithms you may lose ssh access to your switch.
 
 
Resolution 
========== 
Upgrade affected switches to one of the following AOS-CX branches 
and versions to resolve all the vulnerabilities described in the 
details section: 
  
  - AOS-CX 10.13.xxxx: 10.13.1010 and above. 
  - AOS-CX 10.12.xxxx: 10.12.1030 and above. 
  - AOS-CX 10.10.xxxx: 10.10.1110 and above. 
 
HPE Aruba Networking does not evaluate or patch product versions
that have reached their End of Maintenance (EoM) milestone. For more
information about HPE Aruba's End of Support policy visit:
https://www.arubanetworks.com/support-services/end-of-life/ 
 
Supported branches as of the publication date of this advisory are:
  
  - AOS-CX 10.13.xxxx 
  - AOS-CX 10.12.xxxx 
  - AOS-CX 10.10.xxxx 
 
Software versions with resolution/fixes for the vulnerabilities covered 
above, can be downloaded from the HPE Networking Support Portal. 
https://networkingsupport.hpe.com/home/

HPE Aruba Networking does not evaluate or patch ArubaOS branches 
that have reached their End of Maintenance (EoM) milestone.


Workaround 
========== 
Vulnerability specific workarounds are listed per vulnerability
above. Contact HPE Services - Aruba Networking for any configuration
assistance.
 
 
Exploitation and Public Discussion 
================================== 
These vulnerabilities are being widely discussed in public. HPE Aruba   
Networking is not aware of any exploitation tools or techniques that    
specifically target HPE Aruba Networking products.                      
 
 
Revision History 
================ 
Revision 1 / 2024-May-07 / Initial release 
Revision 2 / 2024-May-28 / Title Change, Addition of CVE-2023-51385, 
                           Addition to Workaround for CVE-2023-48795
 
 
HPE Aruba Networking SIRT Security Procedures 
============================== 
Complete information on reporting security vulnerabilities in HPE 
Aruba Networking products and obtaining assistance with security 
incidents is available at: 
 
https://www.arubanetworks.com/support-services/security-bulletins/ 
 
For reporting *NEW* HPE Aruba Networking security issues, email 
can be sent to aruba-sirt(at)hpe.com. For sensitive information 
we encourage the use of PGP encryption. Our public keys can be 
found at: 
 
https://www.arubanetworks.com/support-services/security-bulletins/ 
 
(c) Copyright 2024 by Hewlett Packard Enterprise Development LP. 
This advisory may be redistributed freely after the release date 
given at the top of the text, provided that the redistributed 
copies are complete and unmodified, including all data and 
version information. 
-----BEGIN PGP SIGNATURE-----

iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmZOSdUXHHNlY3VyaXR5
LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE67Kxwv/cHPml1afj7bBj4bY0ab5vWGn
osqVpyb+o7llPL4+NrGusAn4uGI2dL+ATf3tDZRrdxN2gTAJIUDZrqYs0mY61Y5E
AwhoYSNmIC12sofdwzfkieEV6OpBJ5rpiaASXEbZcJLBOOiabCPQhe3wRhSCPZ/o
J9zGsPtHvudiZG/XaD3GVhrdi++CLnQIly8SMZzbG7zrw1nJmGDhTOdBBDHcBP0R
sitrxGzNblZQWdtAn+//lDoRZEjaVIOCXmr5nyTsovyQOtKcZh7x/bLZn37LIaJX
agfT2qYe0d00DEJNhypmIBWiMZ3YuwOextKoISao28owrbvpgEhzTSduNSPHQ9Ri
d1jbJ7kBsMei7KCwQ0JF2yFwwSw7TQc3lXyDa0lqvOSUyB6TrqYpSAL2DmOPoMjx
yUfntN9AXQd52kDdsECU8rmEJ6sXqavn473tUAHQeJugcKupUTssIM8RGIaMcaeT
v2GhhJmgFmEeJuFe290PEPdPiZ/c06WK4hBooWHe
=cb8q
-----END PGP SIGNATURE-----