-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: HPESBNW04672 CVE: CVE-2024-41914, CVE-2024-22443, CVE-2024-22444 Publication Date: 2024-Jul-23 Status: Confirmed Severity: High Revision: 1 Title ===== Multiple Vulnerabilities in HPE Aruba Networking EdgeConnect SD-WAN Orchestrator Overview ======== HPE Aruba Networking has released patches for EdgeConnect SD-WAN Orchestrator that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - EdgeConnect SD-WAN Orchestrator (self-hosted, on-premises) - EdgeConnect SD-WAN Orchestrator (self-hosted, public cloud IaaS) - EdgeConnect SD-WAN Orchestrator-as-a-Service - EdgeConnect SD-WAN Orchestrator-SP Tenant Orchestrators - EdgeConnect SD-WAN Orchestrator Global Enterprise Tenant Orchestrators. - EdgeConnect SD-WAN Orchestrator 9.4.x: Orchestrator 9.4.1 (all builds) and below - EdgeConnect SD-WAN Orchestrator 9.3.x: Orchestrator 9.3.2 (all builds) and below - EdgeConnect SD-WAN Orchestrator 9.2.x: Orchestrator 9.2.9 (all builds) and below - EdgeConnect SD-WAN Orchestrator 9.1.x: Orchestrator 9.1.9 (all builds) and below - Any older branches of Orchestrator not specifically mentioned Versions of EdgeConnect SD-WAN Orchestrator that are End of Maintenance (EoM) are affected by these vulnerabilities unless otherwise indicated. Please note that specific vulnerabilities listed below were not able to be patched in all supported software versions. See the Resolution section at the end of this document for further detail. Unaffected Products =================== Any other HPE Aruba Networking products not specifically listed above are not affected by these vulnerabilities. Details ======= Stored Cross-Site Scripting (XSS) Vulnerability in EdgeConnect SD-WAN Orchestrator Web Administration Interface (CVE-2024-41914) --------------------------------------------------------------------- A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal References: ATLSP-99 Severity: High CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Resolution: Please note that due to the structure of this specific vulnerability HPE Aruba Networking has patched them only in the following branch and version of Orchestrator: - Orchestrator 9.3.x: Orchestrator 9.3.1 (all builds) and above - Orchestrator 9.4.x: Orchestrator 9.4.0 (all builds) and above - Orchestrator 9.5.x: Orchestrator 9.5.0 (all builds) and above Older branches and branches not specifically named are not patched. Customers running an Orchestrator release before 9.3.x should refer to these instructions: https://www.arubanetworks.com/techdocs/sdwan-PDFs/docs/advisories/ec _adv_sec_settings_latest.pdf Authenticated Server-Side prototype pollution Leading to Information Disclosure (CVE-2024-22443) --------------------------------------------------------------------- A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. Internal References: ATLSP-88 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Resolution: Please note that due to the structure of this specific vulnerability HPE Aruba Networking has patched them only in the following branch and version of Orchestrator: - Orchestrator 9.1.x: Orchestrator 9.1.10 (all builds) and above - Orchestrator 9.2.x: Orchestrator 9.2.10 (all builds) and above - Orchestrator 9.3.x: Orchestrator 9.3.3 (all builds) and above - Orchestrator 9.4.x: Orchestrator 9.4.2 (all builds) and above - Orchestrator 9.5.x: Orchestrator 9.5.0 (all builds) and above Older branches and branches not specifically named are not patched. Customers running an Orchestrator release before 9.3.x should refer to these instructions: https://www.arubanetworks.com/techdocs/sdwan-PDFs/docs/advisories/ec _adv_sec_settings_latest.pdf Reflected Cross-Site Scripting in EdgeConnect SD-WAN Orchestrator Web Management Interface (CVE-2024-22444) --------------------------------------------------------------------- A vulnerability within the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface. Internal References: ATLSP-97 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Resolution: Please note that due to the structure of this specific vulnerability HPE Aruba Networking has patched them only in the following branch and version of Orchestrator: - Orchestrator 9.3.x: Orchestrator 9.3.1 (all builds) and above - Orchestrator 9.4.x: Orchestrator 9.4.0 (all builds) and above - Orchestrator 9.5.x: Orchestrator 9.5.0 (all builds) and above Older branches and branches not specifically named are not patched. Customers running an Orchestrator release before 9.3.x should refer to these instructions: https://www.arubanetworks.com/techdocs/sdwan-PDFs/docs/advisories/ec _adv_sec_settings_latest.pdf Resolution ========== PLEASE NOTE - To fully patch the vulnerabilities disclosed above, Including lower severity authenticated vulnerabilities that require existing administrative access, customers must upgrade their EdgeConnect SD-WAN Orchestrator to one of the following versions in the respective software branch as applicable: - Orchestrator 9.5.x: Orchestrator 9.5.0 (all builds) and above - Orchestrator 9.4.x: Orchestrator 9.4.2 (all builds) and above - Orchestrator 9.3.x: Orchestrator 9.3.3 (all builds) and above Customers running an Orchestrator release before 9.3.x should refer to these instructions: https://www.arubanetworks.com/techdocs/sdwan- PDFs/docs/advisories/ec_adv_sec_settings_latest.pdf HPE Aruba Networking does not evaluate or patch software branches that have reached their End of Maintenance (EoM) milestone. Supported EdgeConnect SD-WAN Orchestrator software branches as of the publication date of this advisory are: - EdgeConnect SD-WAN Orchestrator 9.5.x - EdgeConnect SD-WAN Orchestrator 9.4.x - EdgeConnect SD-WAN Orchestrator 9.3.x - EdgeConnect SD-WAN Orchestrator 9.2.x Software versions with resolution/fixes for the vulnerabilities covered above, can be downloaded from the HPE Networking Support Portal. https://networkingsupport.hpe.com/home/ For more information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API keys. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code that target these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2024-Jul-23 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId= a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmaf8yUXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE64YSQv/ZULhG4fmud+GBdA99KHee/vq m9sLOYsCEXJOFutI6f/UoyXjTqLR75CkQY/3dQeGDYmt5b3doX5KZbf4FVnLwi50 FbMFi8S6x8fhrGNtMLAsvfePwNghsYh2oI0PQO7zRf2ZbvupdUujr+FJn4GNaXV2 LDQB18jRYnYHtlEdpdgf+GCszPGeTCbpc1NjiRSDxrELcmSTmxo9lIBApK6w9JmF cZfbuD55rjGvV7+57IIb7uouh+YV3ne9iVs5v1BEXbUduPglI2NbeL5GlJqDbrYa tieqmzcLUV3NcV4aBl63uskVa9Bml4U11Vtsja8pUBXIy1WS5pAXPE9ZA7xEQHri 1kz5ZRljJFPnuw1poOIJ1YU+e3Wk2bMLWzZCYZ9B+t68coVG1d7nmMM+SQhZ/Izw d/f6X6QCmzSLTEUT+KstkjnnSozOl86/neJ0758tlrXjB69c42km2b8FkUpuHDkF Yh7l/qmle5OEkUkJnBLqph+Bil+oqf9lpXSJAsTc =nBIb -----END PGP SIGNATURE-----