==================================================================== CERT-Renater Note d'Information No. 2021/VULN125 _____________________________________________________________________ DATE : 26/02/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Aruba Mobility Controllers, Aruba Access Points when managed by Mobility Controllers, Aruba SD-WAN Gateways. ===================================================================== https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-006.txt _____________________________________________________________________ Aruba Product Security Advisory ================================== Advisory ID: ARUBA-PSA-2021-006 CVE: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684 CVE-2020-25685, CVE-2020-25686, CVE-2020-25687 Publication Date: 2021-Feb-23 Status: Confirmed Severity: Low Revision: 1 Title ===== Multiple Vulnerabilities in dnsmasq Overview ======== Seven new vulnerabilities were reported in the open-source component dnsmasq. This collection of vulnerabilities has been made public under the name DNSpooq. Successful exploitation of four of these vulnerabilities could result in either remote code execution (RCE) or cause a denial of service (DoS) condition in affected devices. These vulnerabilities are: CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25687 The other three vulnerabilities could allow an attacker to achieve DNS Cache Poisoning Attacks. These types of attacks can be used to redirect traffic to malicious IP addresses. These vulnerabilities are: CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 Unaffected Products =================== All Aruba products are not affected by the following vulnerabilities: CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25687 Affected Products ================= Aruba Mobility Controllers, Access Points when managed by Mobility Controllers, Aruba SD-WAN Gateways and Aruba Instant Access Points using all supported firmware releases at time of original advisory publication are affected by the following vulnerabilities: CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 Aruba views these vulnerabilities as low severity. Other Aruba products not listed above, including Aruba Instant On are not affected by these vulnerabilities. Details ======= dnsmasq is used by the affected ArubaOS products (Aruba Mobility Controllers, Access Points when managed by Mobility Controllers, Aruba SD-WAN Gateways) to provide DNS proxy/DNS resolution for captive portal users or when the "Redirect DNS Server" feature is enabled. For Captive Portal, while in a pre-authenticated state, the process accepts DNS queries from captive portal users and returns the IP address of the mobility controller. dnsmasq is used by Aruba Instant as a DNS proxy for many commonly used deployment architectures. Internal Reference: ASIRT-252 Severity: Low CVSSv3 Overall Score: 3.7 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Aruba analyzed and tested these vulnerabilities in the affected products. We found that the possibility of a successful DNS Cache Poisoning attack as described in the CVEs to be very unlikely. Scenarios we found vulnerable included environmental conditions, beyond configuration parameters, that an attacker may not be able to manipulate. Resolution ========== Given the low severity CVSS Score and the difficulty of exploiting these vulnerabilities, Aruba is treating them as very low priority. Aruba will be updating dnsmasq (to version 2.83 or higher) in future routine maintenance patches. This advisory will be updated with version information as they become available. Workarounds =========== ArubaOS/ SD-WAN: Systems which do not have captive portal or the "Redirect DNS Server" functionalities enabled may safely use firewall rules to block access to UDP port 53 destined to the controller. Aruba recommends "service ACLs" to implement blocking rules. Service ACLs are documented in the ArubaOS User Guide and in the ArubaOS Security Hardening Guide, both of which are available for download from the Aruba support portal. If the "Redirect DNS Server" feature is enabled: Have more than one DNS server configured for each SSID that uses this feature. Aruba Instant: Have more than one DNS server configured for each SSID. Contact Aruba TAC for any configuration assistance. Exploitation and Public Discussion ================================== These vulnerabilities are being widely discussed in public. Aruba is not aware of any exploitation tools or techniques that specifically target Aruba products. Discovery ========= These vulnerabilities were discovered by researchers Shlomi Oberman and Moshe Kol. Revision History ================ Revision 1 / 2021-Feb-23 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================