-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2024-006 CVE: CVE-2024-31466, CVE-2024-31467, CVE-2024-31468, CVE-2024-31469, CVE-2024-31470, CVE-2024-31471, CVE-2024-31472, CVE-2024-31473, CVE-2024-31474, CVE-2024-31475, CVE-2024-31476, CVE-2024-31477, CVE-2024-31478, CVE-2024-31479, CVE-2024-31480, CVE-2024-31481, CVE-2024-31482, CVE-2024-31483 Publication Date: 2024-May-14 Status: Confirmed Severity: Critical Revision: 1 Title ===== Aruba Access Points Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released patches for Aruba Access Points running InstantOS and ArubaOS 10 that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Aruba Access Points running InstantOS and ArubaOS 10 Affected Software Versions: - ArubaOS 10.5.x.x: 10.5.1.0 and below - ArubaOS 10.4.x.x: 10.4.1.0 and below - InstantOS 8.11.x.x: 8.11.2.1 and below - InstantOS 8.10.x.x: 8.10.0.10 and below - InstantOS 8.6.x.x: 8.6.0.23 and below The following software versions that are End of Maintenance are affected by these vulnerabilities and are not addressed by this advisory: - ArubaOS 10.3.x.x: all - InstantOS 8.9.x.x: all - InstantOS 8.8.x.x: all - InstantOS 8.7.x.x: all - InstantOS 8.5.x.x: all - InstantOS 8.4.x.x: all - InstantOS 6.5.x.x: all - InstantOS 6.4.x.x: all Please note that as of the publication of this advisory the following versions are also now End of Maintenance and customers should consider migration to a supported branch: - ArubaOS 10.5.x.x - InstantOS 8.11.x.x Unaffected Products =================== Aruba Mobility Conductor, Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways are not affected by these vulnerabilities. Aruba Instant On is also not affected by these vulnerabilities. Details ======= Unauthenticated Buffer Overflow Vulnerabilities in CLI Service Accessed by the PAPI Protocol (CVE-2024-31466, CVE-2024-31467) -------------------------------------------------------------- There are buffer overflow vulnerabilities in the underlying CLI service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-406, ATLWL-408, ATLWL-409, ATLWL-415, ATLWL-416, ATLWL-427, ATLWL-451 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Chancen and Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Buffer Overflow Vulnerabilities in Central Communications Service Accessed by the PAPI Protocol (CVE-2024-31468, CVE-2024-31469) -------------------------------------------------------------- There are buffer overflow vulnerabilities in the underlying Central Communications service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-422, ATLWL-452 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Chancen and Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Buffer Overflow Vulnerability in the Simultaneous Authentication of Equals (SAE) Service Accessed by the PAPI Protocol (CVE-2024-31470) -------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying SAE (Simultaneous Authentication of Equals) service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-425 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Command Injection Vulnerability in Central Communications Service Accessed by the PAPI Protocol (CVE-2024-31471) -------------------------------------------------------------- There is a command injection vulnerability in the underlying Central Communications service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-447 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Command Injection Vulnerabilities in the Soft AP Daemon Service Accessed by the PAPI Protocol (CVE-2024-31472) -------------------------------------------------------------- There are command injection vulnerabilities in the underlying Soft AP Daemon service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-448, ATLWL-449 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Command Injection Vulnerability in the Deauthentication Service Accessed by the PAPI Protocol (CVE-2024-31473) -------------------------------------------------------------- There is a command injection vulnerability in the underlying deauthentication service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-450 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Arbitrary File Deletion in CLI Service Accessed by the PAPI Protocol (CVE-2024-31474) -------------------------------------------------------------- There is an arbitrary file deletion vulnerability in the CLI service accessed by PAPI (Aruba's Access Point management protocol). Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the affected Access Point. Internal References: ATLWL-429 Severity: High CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent this vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Arbitrary File Deletion in Central Communications Service Accessed by the PAPI Protocol (CVE-2024-31475) -------------------------------------------------------------- There is an arbitrary file deletion vulnerability in the Central Communications service accessed by PAPI (Aruba's access point management protocol). Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to the ability to interrupt normal operation and impact the integrity of the affected Access Point. Internal References: ATLWL-433 Severity: High CVSSv3 Overall Score: 8.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Authenticated Remote Command Execution in Aruba InstantOS or ArubaOS 10 Command Line Interface (CVE-2024-31476, CVE-2024-31477) --------------------------------------------------------------------- Multiple authenticated command injection vulnerabilities exist in the command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-410, ATLWL-411, ATLWL-412, ATLWL-413, ATLWL-417, ATLWL-421, ATLWL-426, ATLWL-453 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Chancen and Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the Soft AP Daemon Service Accessed via the PAPI Protocol (CVE-2024-31478) --------------------------------------------------------------------- Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exists in the Soft AP daemon accessed via the PAPI protocol. Successful exploitation of these vulnerabilites result in the ability to interrupt the normal operation of the affected Access Point. Internal Reference: ATLWL-418, ATLWL-462 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: These vulnerabilities were discovered and reported by Chancen via Aruba's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration Assistance. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in Central Communications Service Accessed via the PAPI Protocol (CVE-2024-31479) --------------------------------------------------------------------- Unauthenticated Denial of Service (DoS) vulnerabilities exist in the Central Communications service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected service. Internal Reference: ATLWL-419, ATLWL-434 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: These vulnerabilities were discovered and reported by Chancen via Aruba's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in CLI Service Accessed via the PAPI Protocol (CVE-2024-31480, CVE-2024-31481) --------------------------------------------------------------------- Unauthenticated Denial of Service (DoS) vulnerabilities exist in the CLI service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to interrupt the normal operation of the affected service. Internal Reference: ATLWL-420, ATLWL-435, ATLWL-454, ATLWL-463 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: These vulnerabilities were discovered and reported by Chancen via Aruba's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Unauthenticated Denial-of-Service (DoS) Vulnerability in the ANSI Escape Code Service Accessed via the PAPI Protocol (CVE-2024-31482) --------------------------------------------------------------------- An unauthenticated Denial-of-Service (DoS) vulnerability exists in the ANSI escape code service accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected Access Point. Internal Reference: ATLWL-443 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Authenticated Sensitive Information Disclosure in CLI Service Accessed via the PAPI Protocol (CVE-2024-31483) --------------------------------------------------------------------- An authenticated sensitive information disclosure vulnerability exists in the CLI service accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to read arbitrary files in the underlying operating system. Internal References: ATLWL-428 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Chancen via Aruba's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Please contact HPE Services - Aruba Networking TAC for configuration assistance. Resolution ========== To address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions: - ArubaOS 10.6.x.x: 10.6.0.0 and above - ArubaOS 10.5.x.x: 10.5.1.1 and above - ArubaOS 10.4.x.x: 10.4.1.1 and above - InstantOS 8.12.x.x: 8.12.0.0 and above - InstantOS 8.11.x.x: 8.11.2.2 and above - InstantOS 8.10.x.x: 8.10.0.11 and above - InstantOS 8.6.x: 8.6.0.24 and above HPE Aruba Networking does not evaluate or patch InstantOS and ArubaOS 10 software branches that have reached their End of Maintenance (EoM) milestone. For more information about Aruba's End of Maintenance policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. Contact HPE Services - Aruba Networking for any configuration assistance. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2024-May-14 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHMBAEBCAA2FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmYxDEYYHG5ldHdvcmtp bmctc2lydEBocGUuY29tAAoJEKYzJuyNHBOuNgIL+gPRUTJgTEjkiL+nn0ll1v+z XKAWuwNpelUX/wKvB7ucpU7co66v6983BvW6U0tAWHFAlIbJabdxgf3QmsqrtfVz e/vTDRAvGmTF6zLf42EKZqxC3C5zlJJOuSiSNTiwOKuMU+qXbSXMSxJjHhYqccRJ kzMzUrhvE9e8tJtDI5vY3xLk1WFmDGea75UQ8LDLubWQ+cQcHXiiWxF9hJHeUCh0 /jI1ntRbNa8sAjrabWqOHav1KPMP1QiVbcDfD90jPr/kNwavN15CEIIdAupkkWS2 HBHnSCs71/aEsch+qYqKNbxjpGcuslyE2EZhyrZiSiQAIheWWOeUxuiYPT1z2Z+u 522S3kI3sUFhrX3K5VcYOgMVakL6XNIIjL0badPTCYJPOGJs2wWvEZOPlznpfFtU SQTtbSPYvF+E4w+9b42GmVqU1BKxcmEbYhlazKG29p26XmiGLlL+i6/4RSIdOhEV lVvp50avOxpdWiVTJRD9rK0zs/VfTUX2YDW+fAcQhQ== =0moW -----END PGP SIGNATURE-----