-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: HPESBNW04709 CVE: CVE-2024-42501, CVE-2024-42502, CVE-2024-42503 Publication Date: 2024-SEP-17 Status: Confirmed Severity: High Revision: 1 Title ===== HPE Aruba Networking Controller and Gateway-Based AOS Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released AOS patches for Controllers and Gateways that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Mobility Conductor (formerly Mobility Master) - Mobility Controllers - WLAN Gateways and SD-WAN Gateways managed by Aruba Central Affected Software Versions: - AOS-10.6.x.x: 10.6.0.2 and below - AOS-8.12.x.x: 8.12.0.1 and below - AOS-8.10.x.x: 8.10.0.13 and below The following AOS and SD-WAN software versions that are End of Maintenance are affected by these vulnerabilities and are not patched by this advisory: - AOS-10.5.x.x: all - AOS-10.3.x.x: all - AOS-8.11.x.x: all - AOS-8.9.x.x: all - AOS-8.8.x.x: all - AOS-8.7.x.x: all - AOS-8.6.x.x: all - AOS-6.5.4.x: all - SD-WAN 8.7.0.0-2.3.0.x: all - SD-WAN 8.6.0.4-2.2.x.x: all Unaffected Products =================== Any other HPE Aruba Networking products and software versions not specifically listed above are not affected by these vulnerabilities. Note: Please note that AOS-10.4.x.x is specifically not affected by these vulnerabilities. Details ======= Authenticated Path Traversal Vulnerability Leads to a Remote Command Execution (RCE) (CVE-2024-42501) - --------------------------------------------------------------------- An authenticated Path Traversal vulnerability exists in AOS. Successful exploitation of this vulnerability allows an attacker to install unsigned packages on the underlying operating system, enabling a threat actor to execute arbitrary code or install implants. Internal Reference: ATLWL-483 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Remote Command Execution (RCE) Vulnerability in the AOS Command Line Interface (CVE-2024-42502) - --------------------------------------------------------------------- An Authenticated command injection vulnerability exists in the AOS command line interface. Successful exploitation of this vulnerability results in the ability to inject shell commands on the underlying operating system. Internal Reference: ATLWL-484 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Remote Command Execution (RCE) Vulnerability in the Lua Package Within the AOS Command Line Interface (CLI) (CVE-2024-42503) - --------------------------------------------------------------------- Authenticated command execution vulnerability exists in the AOS command line interface (CLI). Successful exploitation of this vulnerability result in the ability to run arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-480 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Resolution ========== Upgrade Mobility Conductors, Mobility Controllers and Gateways to one of the following AOS versions (as applicable) to resolve all the vulnerabilities described in the details section: - AOS-10.7.x.x: 10.7.0.0 and above - AOS-10.6.x.x: 10.6.0.3 and above - AOS-8.12.x.x: 8.12.0.2 and above - AOS-8.10.x.x: 8.10.0.14 and above Note: AOS-10.4.x.x is not affected by any of the vulnerabilities above. Software versions with resolution/fixes for the vulnerabilities covered above, can be downloaded from the HPE Networking Support Portal: https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch AOS branches that have reached their End of Maintenance (EoM) milestone. For more information about Aruba's End of Support policy visit: https://networkingsupport.hpe.com/end-of-life/ Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. Contact HPE Services - Aruba Networking for any configuration assistance. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of this advisory. Revision History ================ Revision 1 / 2024-SEP-17 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplaydocLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmboXUUXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE67acgv/UHRwdslao/7zhpoMn4IqrHRS Bij5z2SjCtnInRtZl66E1hJ0uLmoREIZsfTA/Qc+kP/d6OQaWZL4/fkxDdYPSGbP FUJmbq72X2q0qyC9geuSqBRVC4mihSFwQMCaK9XqqLjlnnDZuqZ8KcNLJkVzJu8p T+poTfk8BvkO7NHNIooFQx2ek2D+PxYkE0uyJ6M6MjZHnc2Ka7kwzN2C3nzIMuOL FYfj/Wm1ENpsYcFmL669VskoCXqLXFNovdVILJP84ATh2bvChPo+YdtsabOCrvMy F8ppfeMFivz8aaQOlelSDbOQeVfvKoLde2eH7gWePWyHIrMda8anqcouPM+l3cc9 GZQOPy7LoCZFE7KQ4gEWBkxrBstRWMxU4ZScAYgtCEinru8bggvWRb3U81Iig3Km qXlLE5E4aKEim2DRzYB/GvYX5aX7bQUM711wok6Yb7ww0ap8D8K24Y2SfVrFBR2A FsYdJXYjgAmN0anxGpq31/b41tK6oDhwiCvrz0Tx =RBWC -----END PGP SIGNATURE-----