MISC:https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-012.txt
Download: text/plain
Original: www.arubanetworks.com archive.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2022-012
CVE: CVE-2022-23679, CVE-2022-23680, CVE-2022-23681,
CVE-2022-23682, CVE-2022-23683, CVE-2022-23684,
CVE-2022-23686, CVE-2022-23687, CVE-2022-23688,
CVE-2022-23689, CVE-2022-23690, CVE-2022-23691
Publication Date: 2022-Aug-30
Status: Confirmed
Severity: High
Revision: 1
Title
=====
AOS-CX Switches Multiple Vulnerabilities
Overview
========
Aruba has released updates for wired switch products running AOS-CX
that address multiple security vulnerabilities.
Affected Products
=================
Customers using the following switch models and firmware
versions are affected by the vulnerabilities listed in this
advisory.
Aruba Switch Models:
- AOS-CX 10000 Switch Series
- AOS-CX 9300 Switch Series
- AOS-CX 8400 Switch Series
- AOS-CX 8360 Switch Series
- AOS-CX 8325 Switch Series
- AOS-CX 8320 Switch Series
- AOS-CX 6400 Switch Series
- AOS-CX 6300 Switch Series
- AOS-CX 6200F Switch Series
- AOS-CX 6100 Switch Series
- AOS-CX 6000 Switch Series
- AOS-CX 4100i Switch Series
Software branch versions:
- AOS-CX 10.10.xxxx: 10.10.0002 and below.
- AOS-CX 10.09.xxxx: 10.09.1020 and below.
- AOS-CX 10.08.xxxx: 10.08.1060 and below.
- AOS-CX 10.06.xxxx: 10.06.0200 and below.
Not all vulnerabilities in this advisory affect all AOS-CX
branches. If an AOS-CX branch is not listed as affected, it
means that any AOS-CX version in that given branch is not
affected. For example, the 10.10.xxxx branch is not affected
by CVE-2022-23684.
CVE-2022-23691 only affects the following models:
- AOS-CX 10000 Switch Series
- AOS-CX 9300 Switch Series
- AOS-CX 8325 Switch Series
- AOS-CX 8320 Switch Series
The following unsupported branches of AOS-CX software
were not validated and may contain these vulnerabilities:
- AOS-CX 10.07.xxxx
- AOS-CX 10.05.xxxx and below.
Unaffected Products
===================
Any other Aruba products not listed above including
AOS-S Switches, Aruba Intelligent Edge Switches, and HPE
OfficeConnect Switches are not affected by these vulnerabilities.
Details
=======
Failure to provide CSRF Protection (CVE-2022-23679, CVE-2022-23680)
---------------------------------------------------------------------
AOS-CX lacks Anti-CSRF protections in place for state-changing
operations. This can potentially be exploited by an attacker to
execute commands in the context of another user.
Internal references: ATLAX-4
Severity: High
CVSSv3 Overall Score: 8.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Discovery: These vulnerabilities were discovered and reported by
Zombiehelp54 (bugcrowd.com/zombiehelp54) via Aruba's Bugcrowd
program and Ken Pyle - Partner & Exploit Developer, CYBIR &
Graduate Professor of Cybersecurity at Chestnut Hill College.
Affected Versions:
- AOS-CX 10.10.xxxx: 10.10.0002 and below.
- AOS-CX 10.09.xxxx: 10.09.1020 and below.
- AOS-CX 10.08.xxxx: 10.08.1060 and below.
- AOS-CX 10.06.xxxx: 10.06.0200 and below.
Resolved Versions:
- AOS-CX 10.10.xxxx: 10.10.1000 and above.
- AOS-CX 10.09.xxxx: 10.09.1030 and above.
- AOS-CX 10.08.xxxx: 10.08.1070 and above.
- AOS-CX 10.06.xxxx: 10.06.0210 and above.
Authenticated Command Injection Vulnerability in AOS-CX Command
Line Interface (CVE-2022-23681, CVE-2022-23682)
---------------------------------------------------------------------
Multiple vulnerabilities exist in the AOS-CX command line interface
that could lead to authenticated command injection. A successful
exploit could allow an attacker to execute arbitrary commands as
root on the underlying operating system leading to complete switch
compromise.
Internal references: ATLAX-52, ATLAX-53
Severity: High
CVSSv3 Overall Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Discovery: These vulnerabilities were discovered and reported by
Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug
Bounty Program.
Affected Versions:
- AOS-CX 10.09.xxxx: 10.09.1030 and below.
- AOS-CX 10.08.xxxx: 10.08.1030 and below.
- AOS-CX 10.06.xxxx: 10.06.0180 and below.
Resolved Versions:
- AOS-CX 10.10.xxxx: 10.10.0002 and above.
- AOS-CX 10.09.xxxx: 10.09.1040 and above.
- AOS-CX 10.08.xxxx: 10.08.1080 and above.
- AOS-CX 10.06.xxxx: 10.06.0220 and above.
Authenticated Remote Code Execution in AOS-CX Network Analytics
Engine(NAE) (CVE-2022-23683)
---------------------------------------------------------------------
Authenticated command injection vulnerabilities exist in the
AOS-CX Network Analytics Engine via NAE scripts. Successful
exploitation of these vulnerabilities results in the ability to
execute arbitrary commands as a privileged user on the underlying
operating system, leading to a complete compromise of the switch
running AOS-CX.
Internal reference: ATLAX-30
Severity: High
CVSSv3 Overall Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Discovery: This vulnerability was discovered and reported by
Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program.
Affected Versions:
- AOS-CX 10.10.xxxx: 10.10.0002 and below.
- AOS-CX 10.09.xxxx: 10.09.1030 and below.
- AOS-CX 10.08.xxxx: 10.08.1070 and below.
- AOS-CX 10.06.xxxx: 10.06.0210 and below.
Resolved Versions:
- AOS-CX 10.10.xxxx: 10.10.1000 and above.
- AOS-CX 10.09.xxxx: 10.09.1040 and above.
- AOS-CX 10.08.xxxx: 10.08.1080 and above.
- AOS-CX 10.06.xxxx: 10.06.0220 and above.
Authenticated Privilege Escalation in the Web-Management Interface
(CVE-2022-23684)
---------------------------------------------------------------------
A vulnerability in the web-based management interface of AOS-CX
could allow a remote authenticated user with read-only privileges
to escalate their permissions to those of an administrative user.
Successful exploitation of this vulnerability allows an attacker
to escalate privileges beyond their authorized level.
Internal reference: ATLAX-63
Severity: High
CVSSv3 Overall Score: 7.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Discovery: This vulnerability was discovered and reported by
Aruba's internal engineering team.
Affected Versions:
- AOS-CX 10.09.xxxx: 10.09.1020 and below.
- AOS-CX 10.08.xxxx: 10.08.1060 and below.
- AOS-CX 10.06.xxxx: 10.06.0200 and below.
Resolved Versions:
- AOS-CX 10.10.xxxx: 10.10.0002 and above.
- AOS-CX 10.09.xxxx: 10.09.1030 and above.
- AOS-CX 10.08.xxxx: 10.08.1070 and above.
- AOS-CX 10.06.xxxx: 10.06.0210 and above.
Local Authentication Bypass Vulnerability in Recovery Console
(CVE-2022-23691)
---------------------------------------------------------------------
A vulnerability exists in certain AOS-CX switch models which could
allow an attacker with access to the recovery console to bypass
normal authentication. A successful exploit allows an attacker to
bypass system authentication and achieve total switch compromise.
Internal reference: ATLAX-67
Severity: Medium
CVSSv3 Overall Score: 6.1
CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Discovery: This vulnerability was discovered and reported by
Aruba's internal engineering team.
Affected Versions:
- AOS-CX 10.10.xxxx - 10.10.0002 and below.
- AOS-CX 10.09.xxxx - 10.09.1030 and below.
- AOS-CX 10.08.xxxx - 10.08.1070 and below.
- AOS-CX 10.06.xxxx - 10.06.0210 and below.
Resolved Versions:
- AOS-CX 10.10.1000 - 10.10.1000 and above.
- AOS-CX 10.09.xxxx - 10.09.1040 and above.
- AOS-CX 10.08.xxxx - 10.08.1080 and above.
- AOS-CX 10.06.xxxx - 10.06.0220 and above.
Multiple Vulnerabilities in AOS-CX LLDP Service (CVE-2022-23686,
CVE-2022-23687, CVE-2022-23688, CVE-2022-23689)
---------------------------------------------------------------------
Multiple vulnerabilities exist in the processing of packet data
by the LLDP service of AOS-CX. Successful exploitation of these
vulnerabilities may allow an attacker to impact the availability of
the AOS-CX LLDP service and/or the management plane of the switch.
Internal reference: ATLAX-55
Severity: Medium
CVSSv3 Overall Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Discovery: This vulnerability was discovered and reported by
Qian Chen (@cq674350529) from Codesafe Team of Legendsec at
QI-ANXIN Group.
Affected Versions:
- AOS-CX 10.09.xxxx: 10.09.1010 and below.
- AOS-CX 10.08.xxxx: 10.08.1050 and below.
- AOS-CX 10.06.xxxx: 10.06.0190 and below.
Resolved Versions:
- AOS-CX 10.10.xxxx: 10.10.0002 and above.
- AOS-CX 10.09.xxxx: 10.09.1020 and above.
- AOS-CX 10.08.xxxx: 10.08.1060 and above.
- AOS-CX 10.06.xxxx: 10.06.0200 and above.
Unauthenticated Sensitive Information Disclosure in AOS-CX via
Web-Management Interface (CVE-2022-23690)
---------------------------------------------------------------------
A vulnerability in the web-based management interface of AOS-CX
could allow a remote unauthenticated attacker to fingerprint the
exact version AOS-CX running on the switch. This allows an attacker
to retrieve information which could be used to more precisely target
the switch for further exploitation.
Internal reference: ATLAX-54
Severity: Medium
CVSSv3 Overall Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Discovery: This vulnerability was discovered and reported by
Ken Pyle - Partner & Exploit Developer, CYBIR & Graduate
Professor of Cybersecurity at Chestnut Hill College
Affected Versions:
- AOS-CX 10.09.xxxx: 10.09.1010 and below.
- AOS-CX 10.08.xxxx: 10.08.1050 and below.
- AOS-CX 10.06.xxxx: 10.06.0190 and below.
Resolved Versions:
- AOS-CX 10.10.xxxx: 10.10.0002 and above.
- AOS-CX 10.09.xxxx: 10.09.1020 and above.
- AOS-CX 10.08.xxxx: 10.08.1060 and above.
- AOS-CX 10.06.xxxx: 10.06.0200 and above.
Resolution
==========
In order to address the vulnerabilities described above for the
affected release branches, it is recommended to upgrade the software
to the following versions (where applicable):
- AOS-CX 10.10.xxxx: 10.10.1000 and above.
- AOS-CX 10.09.xxxx: 10.09.1040 and above.
- AOS-CX 10.08.xxxx: 10.08.1080 and above.
- AOS-CX 10.06.xxxx: 10.06.0220 and above.
Aruba recommends that users using the following branches
upgrade to 10.10.1000 and above to address these vulnerabilities:
- AOS-CX 10.07.xxxx
- AOS-CX 10.05.xxxx and below.
Workaround
==========
To minimize the likelihood of an attacker exploiting these
vulnerabilities, Aruba recommends that the CLI and web-based
management interfaces be restricted to a dedicated layer 2
segment/VLAN and/or controlled by firewall policies at layer 3
and above.
Contact Aruba TAC for any configuration assistance.
Exploitation and Public Discussion
==================================
Aruba is not aware of any public discussion or exploit code that
target these specific vulnerabilities as of the release date of
the advisory.
Revision History
================
Revision 1 / 2022-Aug-30 / Initial release
Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in Aruba
Networks products, obtaining assistance with security incidents is
available at:
http://www.arubanetworks.com/support-services/security-bulletins/
For reporting *NEW* Aruba Networks security issues, email can be sent
to aruba-sirt(at)hpe.com. For sensitive information we encourage the
use of PGP encryption. Our public keys can be found at:
http://www.arubanetworks.com/support-services/security-bulletins/
(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company.
This advisory may be redistributed freely after the release date given
at the top of the text, provided that the redistributed copies are
complete and unmodified, including all data and version information.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmMI8CYACgkQmP4JykWF
htmzDwf/RIVgv85+wu59W8/EpzLO1VBUYLmFya9ITEozJ3xQ7f5JBfBq2tuP71fq
pHZ9faQqKHHAXE5XToIBGki3ZZz1qo62ic7uDD4uudhs6OK7w3uSm3pp2JdJRVtK
9wjJlhI923i4r2p2MFCgNsCuUR7NQksvsmxYjV5qQOG01KRhneXhywd1VVnlsX00
+jt54OZkzNuKYfzl/8Oku0ahVA8hCbrFNKU6vsCfSPntqMj9vszozJ6gFKap9zh0
AUNWvQYefjAKpgNBLEuClU7r39i7HdsZxUe7YwCjDMHZSgaV5SECAsbME/WgI36H
jBTh/7GvZuwI3Qd38FOzl7hJBnFhMQ==
=Dly2
-----END PGP SIGNATURE-----