QID 43864
Date Published: 2021-09-27
QID 43864: Hewlett Packard Enterprise (HPE) ArubaOS Cross-Site Request Forgery (CSRF) Vulnerability (ARUBA-PSA-2021-016)
Aruba Networks provides data networking solutions for enterprises and businesses worldwide.
CVE-2019-5318: Lack of CSRF Protections in RAPConsole.
Affected Versions:
- ArubaOS 6.x.x.x: all versions
- ArubaOS 8.x.x.x: all versions prior to 8.8.0.0
QID Detection Logic (Unauthenticated):
This QID gets the vulnerable ArubaOS version via SNMP.
Successful exploitation of this vulnerability may allow an attacker to convince a user to visit a specially-crafted and reboot the affected device.
web page.
Solution
Please refer to ARUBA-PSA-2021-016 for more information about patching these vulnerabilities.Workaround:
The RAPConsole or Local Debug homepage can be reached by users in a split or bridge role.This can be prevented by configuring an ACL to restrict access to the Local Debug (LD) homepage which effectively prevents this issue. Instructions on how to implement this ACL can be found at https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/rap/rest-local-deb.htm
The RAPConsole or Local Debug homepage can be reached by users in a split or bridge role.This can be prevented by configuring an ACL to restrict access to the Local Debug (LD) homepage which effectively prevents this issue. Instructions on how to implement this ACL can be found at https://www.arubanetworks.com/techdocs/ArubaOS_86_Web_Help/Content/arubaos-solutions/rap/rest-local-deb.htm
Vendor References
- ARUBA-PSA-2021-016 -
www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt
CVEs related to QID 43864
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| ARUBA-PSA-2021-016 |
www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt |