-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory ============================================== Advisory ID: HPESBNW04673 CVE: CVE-2023-48795, CVE-2023-51385, CVE-2024-33519, CVE-2024-41133, CVE-2024-41134, CVE-2024-41135, CVE-2024-41136 Publication Date: 2024-July-23 Status: Confirmed Severity: High Revision: 1 Title ===== Multiple Vulnerabilities in HPE Aruba Networking EdgeConnect SD-WAN Overview ======== HPE Aruba Networking has released patches for HPE Aruba Networking EdgeConnect SD-WAN Gateways that address multiple security vulnerabilities. Affected Products ================= - - HPE Aruba Networking EdgeConnect SD-WAN Gateways running (unless otherwise noted) - ECOS 9.3.x.x: 9.3.3.0 and below - ECOS 9.2.x.x: 9.2.9.0 and below - ECOS 9.1.x.x: 9.1.11.0 and below - ECOS 9.0.x.x: all builds are affected and are out of maintenance. - ECOS 8.x.x.x: all builds are affected and are out of maintenance. Versions of HPE Aruba Networking EdgeConnect SD-WAN that are end of maintenance are affected by these vulnerabilities unless otherwise indicated. Unaffected Products =================== Any other HPE Aruba Networking products not specifically listed above are not affected by these vulnerabilities. Details ======= Authenticated Server-Side prototype pollution Leading to Information Disclosure (CVE-2024-33519) --------------------------------------------------------------------- A vulnerability in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN gateway could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. Internal References: ATLSP-111 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's bug bounty program. Resolution: HPE Aruba Networking has patched this particular vulnerability in the following branches and versions of ECOS: - ECOS 9.4.x: ECOS 9.4.1.0 (all builds) and above - ECOS 9.3.x: ECOS 9.3.1.0 (all builds) and above - ECOS 9.2.x: ECOS 9.2.10.0 (all builds) and above - ECOS 9.1.x: ECOS 9.1.12.0 (all builds) and above Workaround: Refer to the general Workaround section, found towards the bottom of the advisory. Authenticated Remote Code Execution in HPE Aruba Networking EdgeConnect SD-WAN Command Line Interface (CVE-2024-41133, CVE-2024-41134, CVE-2024-41135) --------------------------------------------------------------------- A vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateway's Command Line Interface that allows remote authenticated users to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability will result in the ability to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Internal References: ATLSP-104, ATLSP-105, ATLSP-106 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's bug bounty program. Resolution: CVE-2024-41133 and CVE-2024-41135 have been patched in the following versions of ECOS: - ECOS 9.4.x: ECOS 9.4.2.0 (all builds) and above - ECOS 9.3.x: ECOS 9.3.4.0 (all builds) and above - ECOS 9.2.x: ECOS 9.2.10.0 (all builds) and above - ECOS 9.1.x: ECOS 9.1.12.0 (all builds) and above CVE-2024-41134 does not affect ECOS 9.1.x, but is patched in the following versions of ECOS: - ECOS 9.4.x: ECOS 9.4.2.0 (all builds) and above - ECOS 9.3.x: ECOS 9.3.4.0 (all builds) and above - ECOS 9.2.x: ECOS 9.2.10.0 (all builds) and above Workaround: Ensure that access to the ECOS management interface is restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Command Injection in HPE Aruba Networking EdgeConnect SD-WAN Command Line Interface (CVE-2024-41136) --------------------------------------------------------------------- An authenticated command injection vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateway’s Command Line Interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal references: ATLSP-98 Severity: Medium CVSSv3 Overall Score: 6.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via HPE Aruba Networking's bug bounty program. Resolution: HPE Aruba Networking has patched this particular vulnerability in the following branches and versions of ECOS: - ECOS 9.4.x: ECOS 9.4.0.0 (all builds) and above - ECOS 9.3.x: ECOS 9.3.1.0 (all builds) and above - ECOS 9.2.x: ECOS 9.2.10.0 (all builds) and above - ECOS 9.1.x: ECOS 9.1.11.0 (all builds) and above Workaround: Refer to the general Workaround section, found towards the bottom of the advisory. Authenticated Remote Command Execution in the HPE Aruba Networking EdgeConnect SD-WAN SSH Daemon (CVE-2023-51385) --------------------------------------------------------------------- In ssh in OpenSSH before 9.6, OS command injection might occur if a username or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a username or hostname. The impact of this vulnerability on HPE Aruba Networking EdgeConnect SD-WAN has not been confirmed, but the version of OpenSSH has been upgraded for mitigation. HPE Aruba Networking is not aware of any malicious exploitation of this vulnerability. Internal Reference: ATLSP-107 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Discovery: This vulnerability was originally reported by Vinci. Further details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2023-51385 Resolution: HPE Aruba Networking has patched this particular vulnerability in the following branches and versions of ECOS: - ECOS 9.4.x: ECOS 9.4.2.0 (all builds) and above - ECOS 9.3.x: ECOS 9.3.3.0 (all builds) and above Workaround: Refer to the general Workaround section, found towards the bottom of the advisory. Terrapin Attack Vulnerability in OpenSSH Impacting HPE Aruba Networking EdgeConnect SD-WAN (CVE-2023-48795) --------------------------------------------------------------------- The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. The impact of this vulnerability on HPE Aruba Networking EdgeConnect SD-WAN gateways has not been confirmed, but the version of OpenSSH in ECOS software has been upgraded for mitigation. Internal references: ATLSP-109 Severity: Medium CVSSv3 Overall Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Discovery: This vulnerability was discovered by Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk Further details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2023-48795 Resolution: HPE Aruba Networking has patched this particular vulnerability in the following branches and versions of ECOS: - ECOS 9.4.x: ECOS 9.4.2.0 (all builds) and above - ECOS 9.3.x: ECOS 9.3.3.0 (all builds) and above Workaround: Refer to the general Workaround section, found towards the bottom of the advisory. Resolution ========== HPE Aruba Networking advises customers to upgrade to the following versions to address all vulnerabilities within this advisory, unless otherwise specified in the Details section. These builds and branches will fix the lower severity authenticated vulnerabilities that require existing administrative access: - ECOS 9.5.x: ECOS 9.5.0.0 (all builds) and above - ECOS 9.4.x: ECOS 9.4.2.0 (all builds) and above - ECOS 9.3.x: ECOS 9.3.4.0 (all builds) and above The EdgeConnect SD-WAN Orchestrator software version must be greater than or equal to the ECOS software version running on any EdgeConnect SD-WAN gateways. HPE Aruba Networking does not evaluate or patch software versions that have reached their End of Maintenance (EoM) milestone. Maintained versions as of the publication date of this advisory are: - HPE Aruba Networking EdgeConnect SD-WAN 9.5.x.x - HPE Aruba Networking EdgeConnect SD-WAN 9.4.x.x - HPE Aruba Networking EdgeConnect SD-WAN 9.3.x.x - HPE Aruba Networking EdgeConnect SD-WAN 9.2.x.x For more information about HPE Aruba Networking's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API Keys. In EdgeConnect SD-WAN deployments, it is recommended that RADIUS and TACACS management plane traffic be engineered to use the secure SD-WAN tunnels for transport to the extent possible. Exploitation and Public Discussion ================================== CVE-2023-51385 and CVE-2023-48795 are being widely discussed in public. HPE Aruba Networking is not aware of any exploitation tools or techniques that specifically target HPE Aruba Networking products. HPE Aruba Networking is not aware of any public discussion or exploit code that targets the other vulnerabilities listed as of the release date of the advisory. Revision History ================ Revision 1 / 2024-July-23 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a 00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmaWkYEXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE66vwwv/Tyr/WFHDgHcRJxPhaCZGF8Oh p6H8ows/dmuweK5phrBxhqoX2tWW3jLGLfOL4s7JM5QpRKmYNe8AENJz5uunMkWu 3cvYB1HKfXEWKWrv3WpOTLLS/DRTfzILQAxhzKGL8TlFtzLQug5sOXWTlszxWB1K u2oy0A1o5f8A9ABb4zqK4Lb4htQoWtq93qBY3ksQc41HnGYEeeJUq812AZoUoVTF dNiqEy5FSfVc9+JjX5cKb8KD792u+sSCIqSHNuPT+3WHQPrYAwhZF1mQn7aZZXlI 50sUdodd5O92XilJLEdwydOC8sWsbpyq6qMMsHXXqSVeWPVNKUpQuSNRhR7ISfPf WBCgnovt1q4fgcZd+ejaZRDwWej+jUQ6AAskVSSAv5a1Ei6oR8+xvWW6fex6/CYU NqKOZ9kdDlQn040aRe9kD+YYrfaS9+g9u5fqcf5PIt9vybU9WFjPDrgIkNfkX/Lo Qf6ktP4PV4DYL9QHQfeXX9P7M1alo5tCgqmZTmpY =DoWT -----END PGP SIGNATURE-----