-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2024-007 CVE: CVE-2023-48795, CVE-2023-51385 Publication Date: 2024-Jun-11 Status: Confirmed Severity: Medium Revision: 1 Title ===== Multiple OpenSSH Vulnerabilities Impacting AirWave Management Platform Overview ======== HPE Aruba Networking has released a software update for the AirWave Management Platform that addresses multiple security vulnerabilities in OpenSSH. Affected Products ================= HPE Aruba Networking AirWave Management Platform - 8.3.0.2 and below Unaffected Products =================== If other HPE Aruba Networking products are impacted by these CVEs, they will receive their own advisory. Details ======= Authenticated Remote Command Execution in the AirWave Management Platform SSH Daemon (CVE-2023-51385) --------------------------------------------------------------------- In ssh in OpenSSH before 9.6, OS command injection might occur if a username or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a username or host name. The impact of this vulnerability on AirWave Management Platform has not been confirmed, but the version of OpenSSH has been upgraded. HPE Aruba Networking is not aware of any malicious exploitation of this vulnerability. Internal Reference: ATLAW-199 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Reporter: This vulnerability was originally reported by Vinci Further details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2023-51385 Terrapin Attack Vulnerability in OpenSSL Impacting AirWave Management Platform (CVE-2023-48795) --------------------------------------------------------------------- The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. The impact of this vulnerability on AirWave Management Platform has not been confirmed, but the version of OpenSSH has been upgraded. HPE Aruba Networking is not aware of any malicious exploitation of this vulnerability. Internal references: ATLAW-200 Severity: Medium CVSSv3 Overall Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Discovery: This vulnerability was discovered by Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk Further details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2023-48795 Resolution ========== To resolve the vulnerabilities described above, it is recommended to upgrade the software to the following version: HPE Aruba Networking AirWave Management Platform: - 8.3.0.3 and above IMPORTANT: AirWave 8.2.15.2 is the last version based on CentOS 7 operating system. The End of Life date for CentOS 7 is set to 30-June-2024. HPE Aruba Networking recommends upgrading to AirWave 8.3.0.3, a RHEL-based AirWave version, to receive continued support for product and security updates. Refer to AirWave 8.3.0.3 Release Notes for minimum requirements, upgrade paths and detailed upgrade instructions. Software versions with resolution/fixes for the vulnerabilities covered above, can be downloaded from the HPE Networking Support Portal. https://networkingsupport.hpe.com/home/ Workaround ========== To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Exploitation and Public Discussion ================================== These vulnerabilities are being widely discussed in public. HPE Aruba Networking is not aware of any exploitation tools or techniques that specifically target HPE Aruba Networking products. Revision History ================ Revision 1 / 2024-Jun-11 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a 00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public key can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmZjP9kXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE66PgQv/TG4GtZL2Nz+GjYgR3VErAqZm CXwKx0e2DHcLHxmhJEAkoV7+73mK5792F4jpA2zctz/vFtvYjEYYrtEgi8Bee8d2 JZM5hb1uD650P3xzwEQHLPsPuwVQge5odnSP2eHNZ62T1cpHgGIh5n6kKqUYN7Yj s7H9wKxi+apFIt/1dhv0pth4KT4dErySkqtRtfCHkPXvxLdmpyCOUb58YzrKQTtC xK55DGFQYPCQVHNoSRMvIswM5szBgizKHbNC46EZVm7YfxQNZebesNzcH7P+wGzz OS4qoWP7nuB99VkFzFAa1hrhsF/C6/q4bw2h6MzxY//Cthjh1OKsMywfhqllYfaO GHnVrJDkC76etcfXopBtBRs/I1o6AeF4f95csUdC7LhvLL1/4NKCdVh/Bo8/uMWS LGiTBiqD2evG/75fqvEMTBlizhYgSdMqMeJsS9cBCM6+6OHv6Ni0Fks9Bi8abSJ0 RKTUWlQfqaQXifC9bErdKhUcl++ZiwqpY6iNfFQ+ =6RWY -----END PGP SIGNATURE-----