==================================================================== CERT-Renater Note d'Information No. 2019/VULN284 _____________________________________________________________________ DATE : 16/09/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): ArubaOS versions prior to 6.4.4.21, 6.5.4.13, 8.2.2.6, 8.3.0.7, 8.4.0.3, 8.5.0.0. ===================================================================== https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-004.txt _____________________________________________________________________ Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2019-004 CVE: CVE-2018-7081, CVE-2019-5314, CVE-2019-5315 Publication Date: 2019-Sep-03 Status: Confirmed Revision: 1 Title ===== Aruba Mobility Controller Multiple Remote Code Execution Vulnerabilities Overview ======== Aruba has released updates to ArubaOS that address serious vulnerabilities present in some versions running on the Aruba Mobility Controller. An attacker could use these vulnerabilities to execute arbitrary code on the underlying operating system with full system privileges. Affected Products ================= These vulnerabilities affect Aruba Mobility Controllers running the following firmware versions: - ArubaOS 6.x prior to 6.4.4.21 - ArubaOS 6.5.x prior to 6.5.4.13 - ArubaOS 8.x prior to 8.2.2.6 - ArubaOS 8.3.0.x prior to 8.3.0.7 - ArubaOS 8.4.0.x prior to 8.4.0.3 Details ======= Memory corruption in network-listening component (CVE-2018-7081) ---------------------------------------------------------------- A remote code execution vulnerability is present in network-listening components in some versions of ArubaOS. An attacker with the ability to transmit specially-crafted IP traffic to a mobility controller could exploit this vulnerability and cause a process crash or to execute arbitrary code within the underlying operating system with full system privileges. Such an attack could lead to complete system compromise. The ability to transmit traffic to an IP interface on the mobility controller is required to carry out an attack. The attack leverages the PAPI protocol (UDP port 8211). If the mobility controller is only bridging L2 traffic to an uplink and does not have an IP address that is accessible to the attacker, it cannot be attacked. Internal reference: ATLWL-5 Severity: HIGH CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Workaround: If updating to the latest version is not possible, an administrator can isolate the mobility controller using network segmentation techniques. Blocking access to UDP port 8211 will mitigate this attack. If a mobility controller is communicating with wireless access points and Control Plane Security (CPSEC) is NOT enabled, UDP 8211 is required for AP communication. AMON communication between a mobility controller and AirWave also uses UDP 8211. Use caution when blocking access to this port. Discovery: Aruba thanks independent security researchers Pedro Guillen Nuñez and Juan Manuel Fernandez Torres (@TheXC3LL) for discovering this vulnerability and reporting it to Aruba. Resolution: Fixed in ArubaOS 6.4.4.21, 6.5.4.13, 8.2.2.6, 8.3.0.7, 8.4.0.3, 8.5.0.0 HTTP Response Splitting (CRLF injection) and Reflected XSS (CVE-2019-5314) -------------------------------------------------------------------------- Some web components in the ArubaOS software are vulnerable to HTTP Response splitting (CRLF injection) and Reflected XSS. An attacker would be able to accomplish this by sending certain URL parameters that would trigger this vulnerability. Internal reference: ATLWL-27 Severity: MEDIUM CVSSv3 Overall Score: 5.4 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Workaround: If updating to the latest version is not possible, an administrator can isolate the mobility controller using network segmentation techniques. Discovery: Aruba thanks independent security researcher @mongobug for discovering this vulnerability and reporting it through the BugCrowd managed bug bounty program. Resolution: Fixed in ArubaOS 6.4.4.20, 6.5.4.11, 8.2.1.0, 8.3 Authenticated command injection (CVE-2019-5315) ----------------------------------------------- A command injection vulnerability is present in the web management interface of ArubaOS that permits an authenticated user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability to install backdoors or change system configuration in a way that would not be logged. This vulnerability only affects ArubaOS 8.x. Internal reference: ATLWL-28 Severity: HIGH CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Workaround: None. Discovery: Aruba thanks independent security researcher @mongobug for discovering this vulnerability and reporting it through the BugCrowd managed bug bounty program. Resolution: Fixed in ArubaOS 8.3.0.0 Resolution ========== All reported vulnerabilities are fixed in the following ArubaOS software releases: - ArubaOS 6.4.4.21 - ArubaOS 6.5.4.13 - ArubaOS 8.2.2.6 - ArubaOS 8.3.0.7 - ArubaOS 8.4.0.3 - ArubaOS 8.5.0.0 Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code related to these issues. CVE-2018-7081 may become public in a blog post in September, 2019. Revision History ================ Revision 1 / 2019-Sep-03 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2019 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================