-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory
========================================
Advisory ID: HPESBNW04669
CVE: CVE-2024-6387
Publication Date: 2024-Jul-10
Last Updated: 2024-Jul-31
Status: Confirmed
Severity: High
Revision: 2


Title
====
Unauthenticated Remote Code Execution vulnerability in OpenSSH's
Server (RegreSSHion)


Overview
========
A security regression (CVE-2006-5051) was discovered in
OpenSSH's server (sshd). There is a race condition which can
lead to OpenSSH sshd to handle some signals in an unsafe manner.
An unauthenticated remote attacker may be able to trigger this
vulnerable condition by failing to authenticate within a set
time.


Affected Products
===============
HPE Aruba Networking

   - EdgeConnect SD-WAN Orchestrator
       - All supported versions running on Rocky Linux 9. See resolution section for remediation

   - ArubaOS-CX Switches
       - 10.14.0006 and below
       - 10.13.1030 and below
       - 10.12.1050 and below
       - 10.11.1070 and below
       - 10.10.1130 and below
       - Software Releases prior to ArubaOS-CX version 10.10.xxxx
         are not affected but are currently End of Support

   - Aruba Fabric Composer
       - 7.0.2 and below

   -  HPE Networking Instant On
       - All switches and APs currently running firmware versions
         2.9.1 or below in cloud mode when the “support token" is
         activated.

Product versions that are end of life are affected by this
vulnerability unless otherwise indicated.


Unaffected Products
=================
HPE Aruba Networking
    - Aruba Central
    - ArubaOS-S Switches
    - EdgeConnect SD-WAN Gateway
    - WLAN Gateways and SD-WAN Gateways running ArubaOS 10
    - Mobility Controllers running ArubaOS 8
    - Access Points running InstantOS 8 and ArubaOS 10
    - AirWave Management Platform
    - ClearPass Policy Manager
    - Virtual Intranet Access (VIA) Client
    - NetEdit
    - HPE Networking Instant On Switches running in local mode
    - User Experience Insight (UXI)

Other HPE Aruba Networking products not listed above are also
not known to be affected by this vulnerability.


Details
======

  Race Condition in OpenSSH-server Leading to Unauthenticated
  Remote Code Execution
  (CVE-2024-6387)
  ---------------------------------------------------------------------
  A security regression of (CVE-2006-5051) was discovered in
  OpenSSH's server (sshd). There is a race condition which can
  lead to OpenSSH sshd to handle some signals in an unsafe
  manner. An unauthenticated remote attacker may be able to
  trigger this vulnerable condition by failing to authenticate
  within a set time.

  Internal References:  ASIRT-1745, ATLSP-117, ATLAX-82
                        ATLAM-11, ATLAM-12
  Severity: High
  CVSSv3.x Overall Score: 8.1
  CVSS Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

  Discovery: This vulnerability was discovered and reported by
  the Qualys Threat Research Unit (TRU).


Resolution
=========
HPE Aruba Networking

    - EdgeConnect SD-WAN Orchestrator
        -Detailed information on the resolution of CVE-2024-6387 can be found at https://www.arubanetworks.com/techdocs/sdwan-PDFs/docs/advisories/orch_resolution_to_cve-2024-6387_latest.pdf

    - ArubaOS-CX Switches
        - 10.14.0007 and above
        - 10.13.1031 and above
        - 10.10.1131 and above

    - Aruba Fabric Composer
        - 7.0.3 and above

    -  HPE Networking Instant On
        - Firmware version 3.0.0 and higher
        - No direct customer action is necessary other than to
          ensure affected devices (APs and Switches in cloud mode) remain
          connected to the internet to receive automatic updates.


Software versions with resolution/fixes for the vulnerabilities
covered above, can be downloaded from the HPE Networking Support
Portal.

https://networkingsupport.hpe.com/home/

HPE Aruba Networking does not evaluate or patch product branches
that have reached their End of Maintenance (EoM) milestone.

For more information about HPE Aruba Networking products End of
Support policy visit:

https://networkingsupport.hpe.com/end-of-life

Workaround
==========
To minimize the likelihood of an attacker exploiting this
vulnerability, HPE Aruba Networking recommends that access to
the SSH port on impacted devices be restricted to a dedicated
layer 2 segment/VLAN and/or controlled by firewall policies at
layer 3 and above.

For HPE Networking Instant On products, this vulnerability has
no impact unless the “support token” is activated in cloud
mode. Customers should disable use of the “support token" until
firmware is updated to version 3.0.0 or higher.


Exploitation and Public Discussion
============================

This CVE is being widely discussed in public. Public exploits
are available for 32-bit Linux systems based on glibc. 64-bit
exploits are being developed. Please note that this is a high
complexity attack that requires uninterrupted access to a
vulnerable OpenSSH server to exploit. Conditions for exploiting
this vulnerability are highly dependent upon the environment that
vulnerable products are deployed into.

A blog describing this vulnerability is available at

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

More in-depth technical detail and discussion is available at

https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt


Revision History
=============
Revision 1 / 2024-Jul-10 / Initial release
Revision 2 / 2024-Jul-31 / Moved UXI from under investigation to
                           Unaffected Products. Added link to
                           detailed resolution information for
                           EdgeConnect SD-WAN Orchestrator.


HPE Aruba Networking SIRT Security Procedures
=======================================

Complete information on reporting security vulnerabilities in
HPE Aruba Networking products and obtaining assistance with
security incidents is available at:

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us

For reporting *NEW* HPE Aruba Networking security issues, email
can be sent to aruba-sirt(at)hpe.com. For sensitive information
we encourage the use of PGP encryption. Our public keys can be
found at:

https://www.hpe.com/info/psrt-pgp-key

(c) Copyright 2024 by Hewlett Packard Enterprise Development LP.
This advisory may be redistributed freely after the release date
given at the top of the text, provided that the redistributed
copies are complete and unmodified, including all data and
version information.
-----BEGIN PGP SIGNATURE-----

iQHMBAEBCAA2FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmaqVE8YHG5ldHdvcmtp
bmctc2lydEBocGUuY29tAAoJEKYzJuyNHBOuNlYL/A6czxEIaN1o8ZeaAwBAwRzP
yIxmbt9dgbrHly8BheqtTndgx7VH9KyaDaOci/NdvfJZJ2Fzupr6/cLa0qle95FA
BnwSQLqUSSJELkUao7sGsOt+JbwxpujDsM2sRY3v1FTVVdKiiJAdtErX/fOuCMn+
zmpoaxpGeek7Kj6E0RHM39w1KCHEiyjOOj3qFe60lCi0MKnkcX+/Ty7AOrH0rfSM
6QBQHgwJLl7Joy+Gpsm9BgkZPkzEDIRseLL5MBg6jzzETLbQxBzMvriHjeuOnT0x
zUgISNaYRq4t9QY/J7x+92ljH/PNrt0WE6H9USZdVVragLtk/pYTzg/X/SWiZga/
HTJZGVxlQAO9nymn7ZExXrbYagM/+KkcmOs+ghekIkS8TpEo1oTUayKwL5VucGTo
fz/MgXjOz3Hc/Dk4Rtoa0E5m+fr9RKOc67IKFgo67oPf7L/oydTQYkYV8PCr1zmH
q54MdwX8momOynRMMI+Z8OaIuBtM+7160Ia/ILSliw==
=H8+6
-----END PGP SIGNATURE-----