-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory ============================================= Advisory ID: HPESBNW04888 CVE: CVE-2025-37155, CVE-2025-37156, CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, CVE-2025-37157, CVE-2025-37158, CVE-2025-26466, CVE-2025-37159, CVE-2025-37160 Publication Date: 2025-Nov-18 Status: Confirmed Severity: High Revision: 1 Title ===== HPE Aruba Networking AOS-CX, Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released AOS-CX software patches to address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking AOS-CX Software Version(s): - AOS-CX 10.16.xxxx: 10.16.1000 and below - AOS-CX 10.15.xxxx: 10.15.1020 and below - AOS-CX 10.14.xxxx: 10.14.1050 and below - AOS-CX 10.13.xxxx: 10.13.1090 and below - AOS-CX 10.10.xxxx: 10.10.1160 and below Software versions of AOS-CX that are End of Support at the time of publication of this security advisory are expected to be affected by these vulnerabilities unless otherwise indicated. Unaffected Products ================= Any other supported AOS-CX software versions not listed under the Affected Products section of this advisory are not known to be affected by the disclosed vulnerabilities. Details ====== Authenticated Privilege Escalation Allows Unauthorized Access in Network Management Interface (CVE-2025-37155) - --------------------------------------------------------------------- A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system. Internal References: ATLAX-106 Severity: High CVSS v3.1 Base Score: 7.8 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Angelo Catalani and Giacomo Gloria from Italian National Cybersecurity Agency (ACN) to HPE Aruba Networking SIRT. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. ArubaOS-CX Platform-Level Denial-of-Service Vulnerability (CVE-2025-37156) - --------------------------------------------------------------------- A platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional. Internal References: ATLAX-85 Severity: Medium CVSS v3.1 Base Score: 6.8 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Nicholas Starke from HPE Aruba Networking SIRT. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Multiple Vulnerabilities in Rsync Daemon allow for Remote Code Execution, Directory Traversal, and Sensitive Information Disclosure (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747) - --------------------------------------------------------------------- Rsync, a versatile file-synchronizing tool, contains six vulnerabilities present within versions 3.3.0 and below. Rsync can be used to sync files between remote and local computers, as well as storage devices. The discovered vulnerabilities include heap-buffer overflow, information leak, file leak, external directory file-write, safe-links bypass, and symbolic-link race condition. Internal References: ATLAX-89 Severity: Medium CVSS v3.1 Base Score: 6.7 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and disclosed by Simon Scannel, Pedro Gallegos, and Jasiel Spelman from Google Cloud Vulnerability Research, and Aleksei Gorban. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Note: The Rsync vulnerabilities listed above are reported according to the public information found in the NVD. Despite being included in all AOS-CX platforms, the potential for exploitation of Rsync in these platforms is very low. As this is a component of the underlying operating system, the only risk for exploitation on most deployments of AOS-CX would stem from an administrator user that starts a shell in the underlying OS and runs Rsync directly. For AOS-CX VSF deployments, exploitation is limited to attacks that leverage physical access to a vulnerable device. Authenticated Command Injection allows Unauthorized Command Execution in AOS-CX (CVE-2025-37157, CVE-2025-37158) - --------------------------------------------------------------------- A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system. Internal References: ATLAX-96, ATLAX-98 Severity: Medium CVSS v3.1 Base Score: 6.7 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by zzcentury from Ubisectech Sirius Team through HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Denial-of-Service (DoS) attack against OpenSSH's client and server (CVE-2025-26466) - --------------------------------------------------------------------- The OpenSSH client and server are vulnerable to a pre-authentication denial-of-service attack: an asymmetric resource consumption of both memory and CPU. This vulnerability was introduced in August 2023 (shortly before OpenSSH 9.5p1) by commit dce6d80 ("Introduce a transport-level ping facility"). Internal References: ATLAX-102 Severity: Medium CVSS v3.1 Base Score: 5.9 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and disclosed by Qualys Threat Research Unit (TRU). Please refer to the link below for additional details: https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Authenticated Session Hijacking Allows Unauthorized Access in Network Switching Software (CVE-2025-37159) - --------------------------------------------------------------------- A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data. Internal References: ATLAX-97 Severity: Medium CVSS v3.1 Base Score: 5.8 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by 0x50d through HPE Aruba Networking's Bug Bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends to temporarily disable the web management interface until the permanent fix is applied. Authenticated Broken Access Control (BAC) in REST API Configuration Service (CVE-2024-37160) - --------------------------------------------------------------------- A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data. Internal References: ATLAX-79 Severity: Medium CVSS v3.1 Base Score: 5.3 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by dugisan3rd from Farzul Nizam through HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Resolution ========== To address the vulnerabilities described above in the affected software branches, it is recommended to upgrade HPE Aruba Networking AOS-CX to one of the following versions (as applicable): - AOS-CX 10.16.xxxx: AOS-CX 10.16.1006 and above - AOS-CX 10.15.xxxx: AOS-CX 10.15.1030 and above - AOS-CX 10.14.xxxx: AOS-CX 10.14.1060 and above - AOS-CX 10.13.xxxx: AOS-CX 10.13.1101 and above - AOS-CX 10.10.xxxx: AOS-CX 10.10.1170 and above Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking End of Life policy please visit: https://www.hpe.com/psnow/doc/a00143052enw Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking - for assistance if needed. Please visit HPE Aruba Networking Support Portal for more information: https://networkingsupport.hpe.com/home HPE Aruba Networking AOS-CX Security Hardening =========================================== For general information on hardening HPE Aruba Networking AOS-CX switches against security threats please refer to the HPE Aruba Networking AOS-CX Security Hardening Guides for your specific switch model and version of AOS-CX. The guides can be found at the following link: https://arubanetworking.hpe.com/techdocs/AOS-CX/help_portal/Content/home.htm Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory, except for the Rsync vulnerabilities (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747) which have already been publicly disclosed through the VINCE CERT Coordination Center and the OpenSSH vulnerability CVE-2025-26466 which have also already been publicly disclosed by RedHat and it is available at https://access.redhat.com/security/cve/CVE-2025-26466. Scoring for public CVEs that have already been disclosed is based on generally accepted NVD scores. The scores of these publicly disclosed vulnerabilities do not scrutinize the difference in attack conditions present in AOS-CX, which severely mitigate the likelihood of their exploitation as mentioned in the Affected Product section. More information can be found at: https://www.kb.cert.org/vuls/id/952657 Revision History ================ Revision 1 / 2025-Nov-18/ Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt@hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmkbYt0XHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE647kAv7BNEt3KMe+fyctnc0MOV2/ffE gFBG9AgGspGDIlA3XV5l41R2/aUEaK97HifKDPLwtBAbrPZZ3yrbfwemLm6hCs7D vrDpoh7LZsg/pM2X/C+Zl2sxrQ0rjb9YqmKFku+i6mGbVcEwnF401Mes+Kvvf6PY 11xl9J0JZjagy/m+epwgizmBtowOZSvR3hAIuV2ypDm9nOjuElQlggfcRDl5Fz3B VaU0/CNda+DTZHmYHvs2WG6R3DXxgZhDp8qdeSJfKlUFb1CmBdizVx7jS90LMaif pRMKim/G401cDciiXh/ozwzpHGnJ/yYA5UwHLQALMZqP8m2IspOOc1dyyEzPy9At N379VAhlOXaTw4Ja1xPVVMAS2XB8UPytYIH4h+JbrOgANXf5dqTavjXr8d2kKVEU pujpw41xuNKc+5sGbK6lN2T//67Uh15wLb9U5/dhles4Jb4cRctxCrrsB55W6ayI WXfO66cQIYq20HrZlNE4wfKiCquKxkaKc8A3sD0m =yenA -----END PGP SIGNATURE-----