-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-002 CVE: CVE-2021-3712, CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, CVE-2023-22750, CVE-2023-22751, CVE-2023-22752, CVE-2023-22753, CVE-2023-22754, CVE-2023-22755, CVE-2023-22756, CVE-2023-22757, CVE-2023-22758, CVE-2023-22759, CVE-2023-22760, CVE-2023-22761, CVE-2023-22762, CVE-2023-22763, CVE-2023-22764, CVE-2023-22765, CVE-2023-22766, CVE-2023-22767, CVE-2023-22768, CVE-2023-22769, CVE-2023-22770, CVE-2023-22771, CVE-2023-22772, CVE-2023-22773, CVE-2023-22774, CVE-2023-22775, CVE-2023-22776, CVE-2023-22777, CVE-2023-22778 Publication Date: 2023-Feb-28 Last Update: 2024-Nov-22 Status: Confirmed Severity: Critical Revision: 5 Title ===== HPE Aruba Networking Controller and Gateway-Based AOS Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released AOS patches for Conductors, Controllers and Gateways that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Mobility Conductor (formerly Mobility Master) - Mobility Controllers - WLAN Gateways and SD-Branch Gateways managed by Aruba Central Affected Software Versions: - AOS-8.6.x.x: 8.6.0.19 and below - AOS-8.10.x.x: 8.10.0.4 and below - AOS-10.3.x.x: 10.3.1.0 and below - SD-Branch 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.8 and below The following AOS and SD-Branch software versions that are End of Life are affected by these vulnerabilities and are not patched by this advisory: - AOS-6.5.4.x: all - AOS-8.7.x.x: all - AOS-8.8.x.x: all - AOS-8.9.x.x: all - SD-Branch 8.6.0.4-2.2.x.x: all Details ======= Multiple Unauthenticated Command Injections in the PAPI Protocol (CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, CVE-2023-22750) --------------------------------------------------------------------- There are multiple command injection vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-250, ATLWL-316, ATLWL-317, ATLWL-318 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's Bug Bounty Program. Workaround: None. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. Unauthenticated Stack-Based Buffer Overflow Vulnerabilities in the PAPI Protocol (CVE-2023-22751, CVE-2023-22752) --------------------------------------------------------------------- There are stack-based buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-252, ATLWL-331 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's Bug Bounty Program. Workaround: None. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. Unauthenticated Buffer Overflow Vulnerabilities in AOS Process (CVE-2023-22753) --------------------------------------------------------------------- There are buffer overflow vulnerabilities in multiple underlying operating system processes that could lead to unauthenticated remote code execution by sending specially crafted packets via the PAPI protocol. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-194 Severity: High CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Haoliang Lu at the WuHeng Lab of ByteDance. Resolved Versions: Please note that due the complexity of code changes involved it was not possible to backport changes for CVE-2023-22753 to AOS-8.6.x. Customers using firmware versions in the 8.6.x branch are urged to implement the workaround listed in this section or to upgrade to AOS-8.10.x. Workaround: None. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. For AOS-10.x, this vulnerability does not apply. Unauthenticated Buffer Overflow Vulnerabilities in AOS Processes (CVE-2023-22754, CVE-2023-22755, CVE-2023-22756, CVE-2023-22757) --------------------------------------------------------------------- There are buffer overflow vulnerabilities in multiple underlying operating system processes that could lead to unauthenticated remote code execution by sending specially crafted packets via the PAPI protocol. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-269 Severity: High CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Haoliang Lu at the WuHeng Lab of ByteDance. Resolved Versions: Please note that due the complexity of code changes involved it was not possible to backport changes for these specific vulnerabilities (CVE-2023-22754, CVE-2023-22755, CVE-2023-22756, CVE-2023-22757) to AOS-8.6.x. Customers using firmware versions in the 8.6.x branch are urged to implement the workaround listed in this section or to upgrade to AOS-8.10.x. Workaround: Enable CPSec. Contact HPE Services - Aruba Networking for any configuration assistance. For AOS-10.x, this vulnerability does not apply. Authenticated Read Buffer Overruns Processing ASN.1 Strings in AOS (CVE-2021-3712) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information via the AOS web-based management interface. Successful exploitation allows an attacker to gain access to some data in a cleartext format exposing other network infrastructure to further compromise. Internal references: ATLWL-295 Severity: High CVSSv3.1 Overall Score: 7.4 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H Discovery: This vulnerability was discovered and reported by Ingo Schwarze. Workaround: None. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. Authenticated Remote Command Execution in AOS Web-based Management Interface (CVE-2023-22758, CVE-2023-22759, CVE-2023-22760, CVE-2023-22761) --------------------------------------------------------------------- Authenticated remote command injection vulnerabilities exist in the AOS web-based management interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running AOS. Internal references: ATLWL-177, ATLWL-265, ATLWL-274, ATLWL-276 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz), Erik de Jong (bugcrowd.com/erikdejong) and Nikita Abramov via HPE Aruba Networking's Bug Bounty Program. Workaround: Block access to the AOS web-based management interface from all untrusted users. Authenticated Remote Command Execution in the AOS Command Line Interface (CVE-2023-22762, CVE-2023-22763, CVE-2023-22764, CVE-2023-22765, CVE-2023-22766, CVE-2023-22767, CVE-2023-22768, CVE-2023-22769, CVE-2023-22770) --------------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the AOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. Internal Reference: ATLWL-103, ATLWL-203, ATLWL-206, ATLWL-221, ATLWL-227, ATLWL-229, ATLWL-240, ATLWL-314, ATLWL-319 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) and Daniel Jensen (@dozernz) via HPE Aruba Networking's Bug Bounty Program. Workaround: See the Workaround section at the end of this document. Insufficient Session Expiration in AOS Command Line Interface (CVE-2023-22771) --------------------------------------------------------------------- An insufficient session expiration vulnerability exists in the AOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of impacted account. Internal References: ATLWL-117 Severity: Medium CVSSv3 Overall Score: 6.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S: U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Mitchell Pompe of Netskope. Workaround: Block access to the AOS command line interface from all untrusted users. Authenticated Path Traversal in AOS Web-based Management Interface Allows for Arbitrary File Deletion. (CVE-2023-22772) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the AOS web-based management interface. Successful exploitation of this vulnerability results in the ability to delete arbitrary files in the underlying operating system. Internal References: ATLWL-277 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: This vulnerability was discovered and reported by Nikita Abramov via HPE Aruba Networking's Bug Bounty Program. Workaround: Block access to the AOS web-based management interface from all untrusted users. Authenticated Path Traversal in AOS Command Line Interface Allows for Arbitrary File Deletion. (CVE-2023-22773, CVE-2023-22774) --------------------------------------------------------------------- Authenticated path traversal vulnerabilities exist in the AOS command line interface. Successful exploitation of these vulnerabilities result in the ability to delete arbitrary files in the underlying operating system. Internal References: ATLWL-228, ATLWL-230 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's Bug Bounty Program. Workaround: Block access to the AOS command line interface from all untrusted users. Authenticated Sensitive Information Disclosure in AOS Command Line Interface (CVE-2023-22775) --------------------------------------------------------------------- A vulnerability exists which allows an authenticated attacker to access sensitive information on the AOS command line interface. Successful exploitation could allow access to data beyond what is authorized by the users existing privilege level. Internal Reference: ATLWL-121 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's Bug Bounty Program. Workaround: Block access to the AOS command line interface from all untrusted users. Authenticated Remote Path Traversal in AOS Command Line Interface Allows for Arbitrary File Read (CVE-2023-22776) --------------------------------------------------------------------- An authenticated path traversal vulnerability exists in the AOS command line interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files on the underlying operating system, including sensitive system files. Internal references: ATLWL-127 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Nicholas Starke of Aruba Threat Labs. Workaround: Block access to the AOS Command Line Interface from all untrusted users. Authenticated Information Disclosure in AOS Web-based Management Interface (CVE-2023-22777) --------------------------------------------------------------------- An authenticated information disclosure vulnerability exists in the AOS web-based management interface. Successful exploitation of this vulnerability results in the ability to read arbitrary files in the underlying operating system. Internal References: ATLWL-275 Severity: Medium CVSSv3 Overall Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Nikita Abramov via HPE Aruba Networking's Bug Bounty Program. Workaround: Block access to the AOS web-based management interface from all untrusted users. Authenticated Stored Cross-Site Scripting (CVE-2023-22778) --------------------------------------------------------------------- A vulnerability in the AOS web management interface could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal Reference: ATLWL-32 Severity: Medium CVSSv3 Overall Score: 4.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by Phil Purviance (@superevr) via HPE Aruba Networking's Bug Bounty Program. Workaround: See the Workaround section at the end of this document. Resolution ========== PLEASE NOTE - To fully patch all the vulnerabilities disclosed above customers must upgrade to the following versions: - AOS-8.10.x.x: 8.10.0.5 and above - AOS-8.11.x.x: 8.11.0.0 and above - AOS-10.3.x.x: 10.3.1.1 and above - SD-Branch 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.9 and above Customers who choose to implement the workarounds listed in the Workaround section below should note that all other vulnerabilities listed in this document are addressed by the following versions: - AOS-8.6.x.x: 8.6.0.20 and above - please note that not all issues are fixed in 8.6.x.x. See the Details section above for specific information - AOS-8.10.x.x: 8.10.0.5 and above - AOS-8.11.x.x: 8.11.0.0 and above - AOS-10.3.x.x: 10.3.1.1 and above - SD-Branch 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.9 and above NOTE: At the time of publishing of this Revision-4 of the Security Advisory, following AOS software release trains their End of Maintenance (EoM) milestone: - AOS-8.6.x.x : all - AOS-8.11.x.x : all - AOS-10.3.x.x : all - AOS-10.5.x.x : all - AOS 10.6.x.x : all - SD-Branch 8.7.0.0-2.3.0.x : all Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal. https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch AOS branches that have reached their End of Maintenance (EoM) milestone. For Software Release End of Life information, visit: https://networkingsupport.hpe.com/notifications;notificationPageSize=100 ;notificationSortBy=announcementDate;notificationSortDir=desc;notificati onCategory=Software%20Release%20End%20of%20Life; Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the communication between Controller/Gateways and Access-Points be restricted either by having a dedicated layer 2 segment/VLAN or, if Controller/Gateways and Access-Points cross layer 3 boundaries, to have firewall policies restricting the communication of these authorized devices. For mitigating the PAPI related vulnerabilities, we have no available workaround. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. Vulnerability specific workarounds are listed per vulnerability above. Please note that this advisory contains specific workarounds and patching instructions for critical security vulnerabilities. You may contact HPE Services - Aruba Networking for assistance if needed. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2023-Feb-28 / Initial release Revision 2 / 2023-Mar-10 / Changed reporter acknowledgment for Haoliang Lu Revision 3 / 2024-Oct-23 / Updated Workaround and Resolution sections for PAPI vulnerabilities. Revision 4 / 2024-Oct-23 / Formatting update. Revision 5 / 2024-Nov-22 / Updated Workaround sections for PAPI vulnerabilities. HPE Aruba Networking SIRT Security Procedures ========================================= Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmc/ph0XHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE65ORgwAhrErI597hpFCPUEayHAhGVoo ECS59LmvLfejJjszk28OC8ugQgDPTU58s/ZXjS5hX4n2IaXdfv9uAV/62s9OXBYh uSkMlm7yJi/K6RWtft0PgJuJNL+LL7DmLpnzYHL+3QYHylf0/BslIEVJkBiFxIOP 5cWyMio78Wfqn5UGUGBnu6M+1p67aP4H8GXQcRJfH7fUyrJqv/uh+fLWIZSSHYqp YdKiVxG4gZqRRNflYWjv/lii44RP4T7T+aSQJYoUcYYOkVsYQowe4KdrwoFtHAPX HxhhAQ9vLFjcGoICvPU3QdSuacLmHzdIwNPg2DBXONJFvLmUj4x2hSpcnkIK2Bev S3nosw8FQIqqhEJweZ2lUTXbHFUgvUpakFLRIVQupWVS1TEdsSJLJ20OSyWv/Ibu O8eO9GAzWkw7ZuAMObmKc1uWnbXhiMNjx09Fr5mj3Aptovg/l1dDiv4wg3ISb9vr 9smnFAuVEOed7vUVvqAR/iznQMu2vBcXO6fpeaxQ =yxcb -----END PGP SIGNATURE-----