HPE Aruba Networking Product Security Advisory
===============================
Advisory ID: HPESBNW04678
CVE: CVE-2023-48795, CVE-2023-51385, CVE-2024-42393,
     CVE-2024-42394, CVE-2024-42395, CVE-2024-42396,
     CVE-2024-42397, CVE-2024-42398, CVE-2024-42399,
     CVE-2024-42400
Publication Date: 2024-Aug-06
Last Updated: 2024-Aug-15
Status: Confirmed
Severity: Critical
Revision: 2


Title
=====
HPE Aruba Networking Access Points Multiple Vulnerabilities


Overview
========
HPE Aruba Networking has released patches for Aruba Access
Points running InstantOS and ArubaOS 10 that address multiple
security vulnerabilities.


Affected Products
=================
HPE Aruba Networking
    - Aruba Access Points running InstantOS and ArubaOS 10

Affected Software Version(s):
    - ArubaOS 10.6.x.x:    10.6.0.0 and below
    - ArubaOS 10.4.x.x:    10.4.1.3 and below
    - InstantOS 8.12.x.x:  8.12.0.1 and below
    - InstantOS 8.10.x.x:  8.10.0.12 and below

The following software versions that are End of Maintenance
are affected by these vulnerabilities and are not addressed by
this advisory:

    - ArubaOS 10.5.x.x:    all
    - ArubaOS 10.3.x.x:    all
    - InstantOS 8.11.x.x:  all
    - InstantOS 8.9.x.x:   all
    - InstantOS 8.8.x.x:   all
    - InstantOS 8.7.x.x:   all
    - InstantOS 8.6.x.x:   all
    - InstantOS 8.5.x.x:   all
    - InstantOS 8.4.x.x:   all
    - InstantOS 6.5.x.x:   all
    - InstantOS 6.4.x.x:   all

HPE Aruba Networking strongly recommends all customers
running End-of-Maintenance software to upgrade to a supported
version as soon as possible.


Unaffected Products
===================
HPE Aruba Networking Mobility Conductor, Mobility
Controllers, and SD-WAN Gateways are not affected by these
vulnerabilities. HPE Networking Instant On is also not affected
by these vulnerabilities.

Any other supported software versions not listed under the
Affected Products section of this advisory are not known to be
affected by the disclosed vulnerabilities.


Details
=======

Unauthenticated Stack-Based Buffer Overflow Remote Command
Execution (RCE) in the Soft AP Daemon Service Accessed by the
PAPI Protocol
(CVE-2024-42393, CVE-2024-42394)
----------------------------------------------------------------------
  There are vulnerabilities in the Soft AP Daemon Service which
  could allow a threat actor to execute an unauthenticated RCE
  attack. Successful exploitation could allow an attacker to
  execute arbitrary commands on the underlying operating system
  leading to complete system compromise.

  Internal References: ATLWL-472, ATLWL-471
  Severity: Critical
  CVSSv3.x Overall Score: 9.8
  CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  Discovery: These vulnerabilities were discovered and
  reported by zzcentury from Ubisectech Sirius Team
  (https://www.ubisectech.com/) via HPE Aruba Networking's bug
  bounty program.

  Resolution:
    These vulnerabilities do not affect Access Points running
    ArubaOS 10.x.

    To address the vulnerabilities described in this detail
    section, it is recommended to upgrade the Access Points to
    one of the following versions (as applicable):

      - InstantOS 8.12.x.x:  8.12.0.2 and above
      - InstantOS 8.10.x.x:  8.10.0.13 and above

  Workaround: Enabling cluster-security via the
  cluster-security command will prevent the vulnerabilities from
  being exploited in InstantOS devices running 8.x or 6.x code.


Unauthenticated Stack-Based Buffer Overflow Remote Command
Execution (RCE) in the AP Certificate Management Service
Accessed by the PAPI Protocol
(CVE-2024-42395)
----------------------------------------------------------------------
  There is a vulnerability in the AP Certificate Management
  Service which could allow a threat actor to execute an
  unauthenticated RCE attack. Successful exploitation could
  allow an attacker to execute arbitrary commands on the
  underlying operating system leading to complete system
  compromise.

  Internal References: ATLWL-467
  Severity: Critical
  CVSSv3.x Overall Score: 9.8
  CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  Discovery: This vulnerability was discovered and
  reported by zzcentury from Ubisectech Sirius Team
  (https://www.ubisectech.com/) via HPE Aruba Networking's bug
  bounty program.

  Resolution:
    This vulnerability does not affect Access Points running
    ArubaOS 10.x.

    To address the vulnerability described in this detail
    section, it is recommended to upgrade the Access Points to
    one of the following versions (as applicable):

      - InstantOS 8.12.x.x:  8.12.0.2 and above
      - InstantOS 8.10.x.x:  8.10.0.13 and above

  Workaround: Enabling cluster-security via the
  cluster-security command will prevent the vulnerability from
  being exploited in InstantOS devices running 8.x or 6.x code.


Authenticated Remote Command Execution in the InstantOS and
ArubaOS 10.x SSH Daemon
(CVE-2023-51385)
----------------------------------------------------------------------
  In OpenSSH before 9.6, OS command injection might occur if a
  user name or host name has shell metacharacters, and this name
  is referenced by an expansion token in certain situations.
  For example, an untrusted Git repository can have a submodule
  with shell metacharacters in a user name or host name. The
  impact of this vulnerability on InstantOS 8.x and ArubaOS 10.x
  running on HPE Aruba Networking Access Points has not been
  confirmed, but the version of OpenSSH has been upgraded for
  mitigation.

  Internal Reference: ATLWL-464
  Severity: Medium
  CVSSv3 Overall Score: 6.5
  CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

  Reporter: This vulnerability was originally reported by Vinci.

  Further details can be found at:
  https://nvd.nist.gov/vuln/detail/CVE-2023-51385

  Resolution:
    To address the vulnerability described in this detail
    section, it is recommended to upgrade the Access Points to
    one of the following versions (as applicable):

      - ArubaOS 10.6.x.x:    10.6.0.1 and above
      - ArubaOS 10.4.x.x:    10.4.1.4 and above
      - InstantOS 8.12.x.x:  8.12.0.2 and above
      - InstantOS 8.10.x.x:  8.10.0.13 and above

  Workaround:
    Running the cli command 'ssh disable-ciphers aes-cbc' will
    remove the conditions for this attack to be successful.

    In addition, to minimize the likelihood of an attacker
    exploiting this vulnerability, HPE Aruba Networking
    recommends that the CLI and web-based management interfaces
    be restricted to a dedicated layer 2 segment/VLAN and/or
    controlled by firewall policies at layer 3 and above.


Buffer Overflow Vulnerability Allows Arbitrary Code Execution in
InstantOS OpenSSH ("TerraPin" attack)
(CVE-2023-48795)
----------------------------------------------------------------------
  The SSH transport protocol with certain OpenSSH extensions,
  found in OpenSSH before 9.6 allows remote attackers to bypass
  integrity checks such that some packets are omitted (from
  the extension negotiation message), and a client and server
  may consequently end up with a connection for which some
  security features have been downgraded or disabled, aka a
  Terrapin attack. The impact of this vulnerability on HPE Aruba
  Networking Access Points has not been confirmed, but the
  version of OpenSSH in InstantOS and ArubaOS 10.x software has
  been upgraded for mitigation.

  Internal References: ATLWL-465
  Severity: Medium
  CVSSv3.x Overall Score: 5.9
  CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

  Further details can be found at:
  https://nvd.nist.gov/vuln/detail/CVE-2023-48795

  Discovery: This vulnerability was discovered by Fabian
  Baeumer, Marcus Brinkmann, and Joerg Schwenk.

  Resolution:
    To address the vulnerability described in this detail
    section, it is recommended to upgrade the Access Points to
    one of the following versions (as applicable):

      - ArubaOS 10.6.x.x:    10.6.0.1 and above
      - ArubaOS 10.4.x.x:    10.4.1.4 and above
      - InstantOS 8.12.x.x:  8.12.0.2 and above
      - InstantOS 8.10.x.x:  8.10.0.13 and above

  Workaround:
    Running the cli command 'ssh disable-ciphers aes-cbc' will
    remove the conditions for this attack to be successful.

    In addition, to minimize the likelihood of an attacker
    exploiting this vulnerability, HPE Aruba Networking
    recommends that the CLI and web-based management interfaces
    be restricted to a dedicated layer 2 segment/VLAN and/or
    controlled by firewall policies at layer 3 and above.


Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the
AP Certificate Management Service Accessed by the PAPI Protocol
(CVE-2024-42396, CVE-2024-42397)
----------------------------------------------------------------------
  Multiple unauthenticated Denial-of-Service (DoS)
  vulnerabilities exist in the AP Certificate Management daemon
  accessed via the PAPI protocol. Successful exploitation of
  these vulnerabilities results in the ability to interrupt the
  normal operation of the affected Access Point.

  Internal References: ATLWL-470, ATLWL-468
  Severity: Medium
  CVSSv3.x Overall Score: 5.3
  CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

  Discovery: These vulnerabilities were discovered and
  reported by zzcentury from Ubisectech Sirius Team
  (https://www.ubisectech.com/) via HPE Aruba Networking's bug
  bounty program.

  Resolution:
    These vulnerabilities do not affect Access Points running
    ArubaOS 10.x.

    To address the vulnerabilities described in this detail
    section, it is recommended to upgrade the Access Points to
    one of the following versions (as applicable):

      - InstantOS 8.12.x.x:  8.12.0.2 and above
      - InstantOS 8.10.x.x:  8.10.0.13 and above

  Workaround: Enabling cluster-security via the cluster-security
  command will prevent these vulnerabilities from being exploited
  in InstantOS devices running 8.x or 6.x code.

Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the
Soft AP Daemon Service Accessed by the PAPI Protocol
(CVE-2024-42398, CVE-2024-42399, CVE-2024-42400)
----------------------------------------------------------------------
  Multiple unauthenticated Denial-of-Service (DoS)
  vulnerabilities exist in the Soft AP daemon accessed
  via the PAPI protocol. Successful exploitation of these
  vulnerabilities results in the ability to interrupt the normal
  operation of the affected Access Point.

  Internal References: ATLWL-474, ATLWL-469, ATLWL-457
  Severity: Medium
  CVSSv3.x Overall Score: 5.3
  CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

  Discovery: These vulnerabilities were discovered and
  reported by zzcentury from Ubisectech Sirius Team
  (https://www.ubisectech.com/) via HPE Aruba Networking's bug
  bounty program.

  Resolution:
    To address the vulnerabilities described in this detail
    section, it is recommended to upgrade the Access Points to
    one of the following versions (as applicable):

      - ArubaOS 10.6.x.x:    10.6.0.1 and above
      - ArubaOS 10.4.x.x:    10.4.1.2 and above
      - InstantOS 8.12.x.x:  8.12.0.2 and above
      - InstantOS 8.10.x.x:  8.10.0.13 and above


  Workaround: Enabling cluster-security via the cluster-security
  command will prevent these vulnerabilities from being exploited
  in InstantOS devices running 8.x or 6.x code. For ArubaOS
  10 devices this is not an option and instead access to port
  UDP/8211 must be blocked from all untrusted networks.


Resolution
==========
To address the vulnerabilities described above in the affected
software branches, it is recommended to upgrade the Access
Points to one of the following versions (as applicable):

  - ArubaOS 10.6.x.x:    10.6.0.1 and above
  - ArubaOS 10.4.x.x:    10.4.1.4 and above
  - InstantOS 8.12.x.x:  8.12.0.2 and above
  - InstantOS 8.10.x.x:  8.10.0.13 and above

Software versions with resolution/fixes for the vulnerabilities
covered above can be downloaded from the HPE Networking Support
Portal. https://networkingsupport.hpe.com/home/

HPE Aruba Networking does not evaluate or patch InstantOS
and ArubaOS software branches that have reached their End of
Maintenance (EoM) milestone.

For more information about HPE Aruba Networking products End of
Support policy visit:

https://networkingsupport.hpe.com/end-of-life


Workaround
==========
Vulnerability specific workarounds are listed per vulnerability
above. You may contact HPE Services - Aruba Networking for
assistance if needed.


Exploitation and Public Discussion
==================================
CVE-2023-48795 and CVE-2023-51385 are being widely discussed
in public. HPE Aruba Networking is not aware of any active
targeting of HPE Aruba Networking products.


Revision History
================
Revision 1 / 2024-Aug-06 / Initial release
Revision 2 / 2024-Aug-15 / Added InstantOS 8.6.x to EoM Products list.
                           Changed workarounds to better reflect
                           affected versions.


HPE Aruba Networking SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in
HPE Aruba Networking products and obtaining assistance with
security incidents is available at:

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us

For reporting *NEW* HPE Aruba Networking security issues, email
can be sent to aruba-sirt(at)hpe.com. For sensitive information
we encourage the use of PGP encryption. Our public keys can be
found at:

https://www.hpe.com/info/psrt-pgp-key

(c) Copyright 2024 by Hewlett Packard Enterprise Development LP.
This advisory may be redistributed freely after the release date
given at the top of the text, provided that the redistributed
copies are complete and unmodified, including all data and
version information.