-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2024-004 CVE: CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, CVE-2024-33512, CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, CVE-2024-33517, CVE-2024-33518 Publication Date: 2024-Apr-30 Last Updated: 2024-Nov-22 Status: Confirmed Severity: Critical Revision: 5 Title ===== HPE Aruba Networking Controller and Gateway-Based AOS Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released patches for AOS that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Mobility Conductor (formerly Mobility Master) - Mobility Controllers - WLAN Gateways and SD-Branch Gateways managed by Aruba Central Affected Software Versions: - AOS-10.5.x.x: 10.5.1.0 and below - AOS-10.4.x.x: 10.4.1.0 and below - AOS-8.11.x.x: 8.11.2.1 and below - AOS-8.10.x.x: 8.10.0.10 and below The following AOS and SD-Branch software versions that are End of Maintenance (EoM) are affected by these vulnerabilities and are not patched by this advisory: - AOS-10.3.x.x: all - AOS-8.9.x.x: all - AOS-8.8.x.x: all - AOS-8.7.x.x: all - AOS-8.6.x.x: all - AOS-6.5.4.x: all - SD-Branch 8.7.0.0-2.3.0.x: all - SD-Branch 8.6.0.4-2.2.x.x: all Details ======= Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol (CVE-2024-26305) --------------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying Utility daemon that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port 8211. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-446 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: None. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. For AOS-10.x, this vulnerability does not apply. Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol (CVE-2024-26304) --------------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-445 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: None. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. For AOS-10.x, this vulnerability does not apply. Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol (CVE-2024-33511) --------------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-441 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: None. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. For AOS-10.x, this vulnerability does not apply. Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol (CVE-2024-33512) --------------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying Local User Authentication Database service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal Reference: ATLWL-444 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: None. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. For AOS-10.x, this vulnerability does not apply. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the AP Management Service Accessed via the PAPI Protocol (CVE-2024-33513) --------------------------------------------------------------------- Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the AP Management service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities results in the ability to interrupt the normal operation of the affected service. Internal Reference: ATLWL-438 Severity: Medium CVSSv3 Overall Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: These vulnerabilities were discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enable CPSec. Contact HPE Services - Aruba Networking for any configuration assistance. For AOS-10.x, this vulnerability does not apply. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the AP Management Service Accessed via the PAPI Protocol (CVE-2024-33514, CVE-2024-33515) --------------------------------------------------------------------- Unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the AP Management service accessed via the PAPI protocol. Successful exploitation of these vulnerabilities results in the ability to interrupt the normal operation of the affected service. Internal Reference: ATLWL-458, ATLWL-460 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: These vulnerabilities were discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: None. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. For AOS-10.x, this vulnerability does not apply. Unauthenticated Denial-of-Service (DoS) Vulnerability in Auth Service Accessed via the PAPI Protocol (CVE-2024-33516) --------------------------------------------------------------------- An unauthenticated Denial of Service (DoS) vulnerability exists in the Auth service accessed via the PAPI protocol provided by AOS. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the controller. Internal Reference: ATLWL-424 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: None. Customers are urged to block access to port UDP/8211 from all untrusted networks and to apply patches listed in the resolution section at their next patching opportunity. For AOS-10.x, this vulnerability does not apply. Unauthenticated Denial-of-Service (DoS) Vulnerability in the Radio Frequency Manager Service Accessed via the PAPI Protocol (CVE-2024-33517) --------------------------------------------------------------------- An unauthenticated Denial-of-Service (DoS) vulnerability exists in the Radio Frequency Manager service accessed via the PAPI protocol. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected service. Internal Reference: ATLWL-459 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by Chancen via HPE Aruba Networking's bug bounty program. Workaround: Enable CPSec. Contact HPE Services - Aruba Networking for any configuration assistance. For AOS-10.x, this vulnerability does not apply. Unauthenticated Buffer Overflow Vulnerability in the Radio Frequency Daemon Accessed via the PAPI Protocol (CVE-2024-33518) --------------------------------------------------------------------- There is a buffer overflow vulnerability in the underlying Radio Frequency daemon accessed via the PAPI protocol provided by AOS. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the controller. Internal Reference: ATLWL-466 Severity: Medium CVSSv3 Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: This vulnerability was discovered and reported by XiaoC from Moonlight Bug Hunter via HPE Aruba Networking's bug bounty program. Workaround: Enable CPSec. Contact HPE Services - Aruba Networking for any configuration assistance. For AOS-10.x, this vulnerability does not apply. Resolution ========== Upgrade HPE Aruba Networking Mobility Controllers, Mobility Conductors and Gateways to one of the following AOS versions (as applicable) to resolve all the vulnerabilities described in the details section: - AOS-10.6.x.x: 10.6.0.0 and above - AOS-10.5.x.x: 10.5.1.1 and above - AOS-10.4.x.x: 10.4.1.1 and above - AOS-8.12.x.x: 8.12.0.0 and above - AOS-8.11.x.x: 8.11.2.2 and above - AOS-8.10.x.x: 8.10.0.12 and above NOTE: At the time of publishing of this Revision-4 of the Security Advisory, following AOS software release trains have reached their End of Maintenance (EoM) milestone: - AOS-10.6.x.x : all - AOS-10.5.x.x : all - AOS-8.11.x.x : all Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal. https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch AOS-branches that have reached their End of Maintenance (EoM) milestone. For Software Release End of Life information, visit: https://networkingsupport.hpe.com/notifications;notificationPageSize=100 ;notificationSortBy=announcementDate;notificationSortDir=desc;notificati onCategory=Software%20Release%20End%20of%20Life; Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. Contact HPE Services - Aruba Networking for any configuration assistance. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2024-Apr-30 / Initial release Revision 2 / 2024-May-20 / Replaced 8.10.0.11 with 8.10.0.12 due to problems with the 8.10.0.11 release, Updated Resolution information, Corrected Severity for CVE-2024-33518, Changed end of life information. Revision 3 / 2024-Oct-23 / Updated Workaround sections for PAPI vulnerabilities. Revision 4 / 2024-Oct-23 / Formatting update. Revision 5 / 2024-Nov-22 / Updated Workaround sections for PAPI vulnerabilities. HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmc/p4UXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE65i8wv9H15/PXEzHrglxSiao+c67GcW +JnLJxAcYUHk6SI9RkA5m405gQN72rLn9WWBxWxxu7hEVoXjkrfL3PNYa6NtcmoE rHQ4Xh/UKj4alWq4c6C5Bpb9HClpy1VN08eD4oe1G8WwNpzfDg2pQsFAiBk1Id1A SQ4Ox3/Pip5qXfBezoCHhIWK2lDeJx+gEpzTmonF73e0zcbfyUKyXu4twnhKIbJr bbSZKHmSMpxZvm+9vWvGdRj2VoSk5cwuf8OGwDNIx0/CV91LnQIvhM2K+ZY1IrIi pNZ4kd03Es62d55gNdxkVel8FVBhxImnx3eAu4U3o6YD4h4g7miZUCq5sjgLuq3A IZRvFS0sSqg/D6WU8JN9F/LPLED2I9C8q3WGJhCDkauqTs8BjweyCw5wRbOwdiKx ihaRWSRU0Xtl6Lfmxmr9DEuhud8v9hVgwaFG6h57ZjdWMIhQ8vNI5XRYd6omHyXc mCtEa7HxJHh+JJTyB73LeRFF2fyu+AEts9rR8Fvo =TnKv -----END PGP SIGNATURE-----