==================================================================== CERT-Renater Note d'Information No. 2021/VULN023 _____________________________________________________________________ DATE : 13/01/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running AirWave Glass versions prior to 1.3.3. ===================================================================== https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-001.txt _____________________________________________________________________ Aruba Product Security Advisory ================================== Advisory ID: ARUBA-PSA-2021-001 CVE: CVE-2020-24638, CVE-2020-24639, CVE-2020-24640, CVE-2020-24641 Publication Date: 2021-Jan-12 Status: Confirmed Revision: 1 Title ===== AirWave Glass Multiple Vulnerabilities Overview ======== Aruba has released updates to Airwave Glass that address multiple security vulnerabilities. Affected Products ================= AirWave Glass 1.3.2 and below Details ======= Remote Authentication Bypass via Unauthenticated Server-Side Request Forgery (CVE-2020-24641) --------------------------------------------------------------------- There is a Server-Side Request Forgery vulnerability through an unauthenticated endpoint that if successfully exploited can result in disclosure of sensitive information. This can be used to perform an authentication bypass and ultimately gain administrative access on the web administrative interface. Internal references: ATLAW-63, ATLAW-80, ATLAW-155 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Resolution: Fixed in Glass 1.3.3 and above Unauthenticated Arbitrary Command Execution in Web Administrative Interface (CVE-2020-24640) --------------------------------------------------------------------- There is a vulnerability caused by insufficient input validation that allows for arbitrary command execution in a containerized environment within Airwave Glass. Successful exploitation can lead to complete compromise of the underlying host operating system. Internal reference: ATLAW-59, ATLAW-105, ATLAW-153 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Resolution: Fixed in Glass 1.3.3 and above Unauthenticated Arbitrary Code Execution in Web Administrative Interface (CVE-2020-24639) --------------------------------------------------------------------- There is a vulnerability caused by unsafe Java deserialization that allows for arbitrary command execution in a containerized environment within Airwave Glass. Successful exploitation can lead to complete compromise of the underlying host operating system. Internal references: ATLAW-67, ATLAW-121, ATLAW-152 Severity: Critical CVSSv3 Overall Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Resolution: Fixed in Glass 1.3.3 and above Multiple Authenticated Command Injections via glassadmin cli (CVE-2020-24638) --------------------------------------------------------------------- Multiple authenticated remote command executions are possible in Airwave Glass via the glassadmin cli. These allow for a user with glassadmin privileges to execute arbitrary code as root on the underlying host operating system. Internal references: ATLAW-100, ATLAW-101, ATLAW-109, ATLAW-111 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Resolution: Fixed in Glass 1.3.3 and above Resolution ========== Upgrade Airwave Glass to 1.3.3 and above Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the cli and web management interfaces for Airwave Glass be restricted to a dedicated layer 2 segement/VLAN and/or controlled by firewall policies at layer 3 and above. Revision History ================ Revision 1 / 2021-Jan-12 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================