====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN704
_____________________________________________________________________

DATE                : 22/12/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): ArubaOS versions prior to 6.4.4.24, 6.5.4.18,
                   8.2.2.10, 8.3.0.14, 8.5.0.11, 8.6.0.6, 8.7.1.0.

=====================================================================
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-012.txt
_____________________________________________________________________

Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2020-012
CVE: CVE-2020-10713, CVE-2020-24633, CVE-2020-24634, CVE-2020-24637
Publication Date: 2020-Dec-08
Status: Confirmed
Revision: 1


Title
=====
ArubaOS Multiple Vulnerabilities


Overview
========
Aruba has released patches for ArubaOS that address multiple  security
vulnerabilities.


Affected Products
=================
ArubaOS Mobility Conductor (formerly Mobility Master),  Aruba Mobility
Controllers, Access-Points when managed by  Mobility  Controllers  and
Aruba SD-WAN Gateways.

Affected versions: Not all vulnerabilities in this advisory affect  all
ArubaOS branches. If an ArubaOS  branch  is  not  listed  as  affected,
it means that any ArubaOS version in that given branch is not affected.
For example, the 6.4.x.x and  6.5.x.x  branches  are  not  affected  by
CVE-2020-24634.

Aruba SD-WAN Gateways are also  affected,  regardless  if  they  are
managing Access-Points or not, given the  underlying  operating  system
is based on ArubaOS.


Details
=======

  Buffer Overflow Vulnerabilities in the PAPI protocol (CVE-2020-24633)
  ---------------------------------------------------------------------
    There are multiple buffer overflow vulnerabilities that could  lead
    to unauthenticated remote  code  execution  by  sending  especially
    crafted  packets  destined   to  the  PAPI   (Aruba   Networks   AP
    management  protocol)  UDP  port   (8211)   of   access-points   or
    controllers.

    Internal references:  ATLWL-87,  ATLWL-150,  ATLWL-151,  ATLWL-152,
    ATLWL-153, ATLWL-154, ATLWL-155, ATLWL-156
    Severity: Critical
    CVSSv3 Overall Score: 9.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Discovery: These vulnerabilities were discovered  and  reported  by
    Erik de  Jong  (bugcrowd.com/erikdejong)  via  Aruba's  Bug  Bounty
    Program

    Affected Versions:
    ArubaOS 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13,  8.5.0.10,  8.6.0.5,
    8.7.0.0 and below
    SD-WAN 2.1.0.1, 2.2.0.0 and below

    Resolution:
    ArubaOS 6.4.4.24, 6.5.4.18, 8.2.2.10, 8.3.0.14, 8.5.0.11,  8.6.0.6,
    8.7.1.0 and above
    SD-WAN 2.1.0.2, 2.2.0.1 and above


  Unauthenticated Remote Command Injection Vulnerability (CVE-2020-24634)
  ---------------------------------------------------------------------
    An attacker is  able  to  remotely  inject  arbitrary  commands  by
    sending especially crafted  packets  destined to  the  PAPI  (Aruba
    Networks AP Management protocol) UDP port (8211)  of  access-points
    or controllers.

    Internal reference: ATLWL-84, ATLWL-144, ATLWL-149
    Severity: Critical
    CVSSv3 Overall Score: 9.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Discovery: These vulnerabilities were discovered  and  reported  by
    Erik de  Jong  (bugcrowd.com/erikdejong)  via  Aruba's  Bug  Bounty
    Program

    Affected Versions:
    ArubaOS 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below
    SD-WAN 2.1.0.1, 2.2.0.0 and below

    Resolution:
    ArubaOS 8.2.2.10, 8.3.0.14, 8.5.0.11, 8.6.0.6, 8.7.1.0 and above
    SD-WAN 2.1.0.2, 2.2.0.1 and above



  Secureboot Bypass vulnerability in 90xx series gateways
(CVE-2020-10713, CVE-2020-24637)
  ---------------------------------------------------------------------
    Two vulnerabilities in ArubaOS GRUB2 implementation allows  for  an
    attacker to bypass  secureboot.  Successful  exploitation  of  this
    vulnerability this  could  lead  to  remote  compromise  of  system
    integrity by allowing an attacker to load an untrusted or  modified
    kernel.

    Internal references: ATLWL-133, ATLWL-159
    Severity: High
    CVSSv3 Overall Score: 8.0
    CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

    Discovery: CVE-2020-10713  aka:  BootHole  vulnerability  has  been
    discovered and published by Eclypsium researchers Mickey Shkatov  &
    Jesse Michael.

    CVE-2020-24637 has been discovered  by  Nicholas  Starke  of  Aruba
    Threat Labs

    Affected Versions:
    ArubaOS 8.5.0.10, 8.6.0.5, 8.7.0.0 and below
    SD-WAN 2.1.0.1, 2.2.0.0 and below

    Resolution:
    ArubaOS 8.5.0.11, 8.6.0.6, 8.7.1.0 and above
    SD-WAN 2.1.0.2, 2.2.0.1 and above


Resolution
==========
In order  to  address  the  vulnerabilities  described  above  for  the
affected release branches, it is recommended to upgrade the software to
the following versions (where applicable):

ArubaOS  6.4.4.24, 6.5.4.18,  8.2.2.10,  8.3.0.14,  8.5.0.11,  8.6.0.6,
8.7.1.0 and above
SD-WAN 2.1.0.2, 2.2.0.1 and above

As a general rule, we do not evaluate or patch  ArubaOS  branches  that
have reached their End of Support (EoS) milestone.  However  given  how
recently ArubaOS 8.2.x.x  reached  EoS,  we  decided  to  evaluate  and
provide a patch for this branch.
For more information about Aruba's End of Support policy visit:
https://www.arubanetworks.com/support-services/end-of-life/



Workarounds
===========
In order to minimize the likelihood of an  attacker  to  exploit  these
vulnerabilities,  Aruba  recommends  that  the  communication   between
Controller/ Gateways and  Access-Points  to  be  restricted  either  by
having a dedicated layer 2 segment/ VLAN or, if  Controller /  Gateways
and Access-Points cross layer 3 boundaries, to have  firewall  policies
restricting the communication of these authorized devices.
Also, enabling the Enhanced  PAPI Security  feature  will  prevent  the
vulnerabilities above from being exploited.
Contact Aruba Support for configuration assistance.


Revision History
================
Revision 1 / 2020-Dec-08 / Initial release


Aruba SIRT Security Procedures
==============================
Complete information on reporting  security  vulnerabilities  in  Aruba
Networks products, obtaining  assistance  with  security  incidents  is
available at:

http://www.arubanetworks.com/support-services/security-bulletins/

For reporting *NEW* Aruba Networks security issues, email can  be  sent
to aruba-sirt(at)hpe.com. For sensitive information  we  encourage  the
use of PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/

(c) Copyright 2020 by Aruba, a Hewlett Packard Enterprise company.

This advisory may be redistributed freely after the release date  given
at the top of the text, provided  that  the  redistributed  copies  are
complete and unmodified, including all data and version information.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================