====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN155
_____________________________________________________________________

DATE                : 11/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Aruba Instant versions prior to
                         8.3.0.15, 8.5.0.12, 8.6.0.8, 8.7.1.2,
                        Aruba Os versions prior to 6.4.4.25, 6.5.4.19,
                             8.3.0.15, 8.5.0.12, 8.6.0.8, 8.7.1.2.

=====================================================================
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-008.txt
_____________________________________________________________________

Aruba Product Security Advisory
==================================
Advisory ID: ARUBA-PSA-2021-008
CVE:  CVE-2020-25705
Publication Date: 2021-Mar-09
Status: Confirmed
Severity: High
Revision: 1


Title
=====
SAD DNS side channel attack


Overview
========
A vulnerability made public under the name SAD DNS affects Domain Name
System resolvers due to a vulnerability in the Linux kernel when
handling ICMP packets. This vulnerability is present in some Aruba
products which are listed below. For more information please see
https://www.saddns.net/


Affected Products
=================
All Aruba Instant Access Points running:
    - Aruba Instant 8.3.x: 8.3.0.14 and below
    - Aruba Instant 8.5.x: 8.5.0.11 and below
    - Aruba Instant 8.6.x: 8.6.0.7 and below
    - Aruba Instant 8.7.x: 8.7.1.1 and below

Hardware and Virtual implementations of ArubaOS Mobility Conductor
(formerly Mobility Master), Aruba Mobility Controllers, Access-Points
when managed by Mobility Controllers running:
    - ArubaOS 6.4.x: 6.4.4.24 and below
    - ArubaOS 6.5.x: 6.5.4.18 and below
    - ArubaOS 8.3.x: 8.3.0.14 and below
    - ArubaOS 8.5.x: 8.5.0.11 and below
    - ArubaOS 8.6.x: 8.6.0.7 and below
    - ArubaOS 8.7.x: 8.7.1.1 and below

Hardware and Virtual implementations of SD-WAN Gateways running:
    - ArubaOS 2.2.0.3 and below

Unaffected Products
===================
Other Aruba products not listed above are not affected by these
vulnerabilities.


Details
=======
A flaw in the way reply ICMP packets are limited in the Linux kernel
was found that allows for quick scanning of open UDP ports. This flaw
allows an off-path remote user to effectively bypass source port UDP
randomization.

Although the vulnerability lies within the way the Linux kernel rate
limits ICMP packets, the main impact from the SAD DNS attack would be
on name resolution related services running on the affected Aruba
device.

Internal references: ATLWL-198, ATLWL-199
Severity: High
CVSSv3 Overall Score: 7.4
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N


Resolution
==========
Aruba Instant Access Points running:
    - Aruba Instant 8.3.x: 8.3.0.15 and above
    - Aruba Instant 8.5.x: 8.5.0.12 and above
    - Aruba Instant 8.6.x: 8.6.0.8 and above
    - Aruba Instant 8.7.x: 8.7.1.2 and above

Hardware and Virtual implementations of ArubaOS Mobility Conductor
(formerly Mobility Master), Aruba Mobility Controllers, Access-Points
when managed by Mobility Controllers running:
    - ArubaOS 6.4.x: 6.4.4.25 and above
    - ArubaOS 6.5.x: 6.5.4.19 and above
    - ArubaOS 8.3.x: 8.3.0.15 and above
    - ArubaOS 8.5.x: 8.5.0.12 and above
    - ArubaOS 8.6.x: 8.6.0.8 and above
    - ArubaOS 8.7.x: 8.7.1.2 and above

Hardware and Virtual implementations of SD-WAN Gateways running:
    - ArubaOS 2.2.0.4 and above


Workaround
==========
As this is a side channel attack it can be difficult to mitigate
exposure. However this attack was mostly targeting internet exposed
name servers, and not resources inside corporate environments.

Aruba always recommends that the CLI and web-based management
interfaces for the affected devices be restricted to a dedicated
layer 2 segment/VLAN and/or controlled by firewall policies at layer 3
where possible.

For this specific vulnerability outgoing ICMP packets can be disabled
using "service ACLs" to implement blocking rules.

Contact Aruba TAC for any configuration assistance.


Discovery
=========
This vulnerability was discovered and reported by Keyu Man, Zhiyun Qian,
Zhongjie Wang, Xiaofeng Zheng, Youjun Huang and Haixin Duan in
Proceedings of ACM Conference on Computer and Communications Security
(CCS`20), November 9-13, 2020


Exploitation and Public Discussion
==================================
Aruba is not aware of any exploitation tools or techniques that
specifically target Aruba products.


Revision History
================
Revision 1 / 2021-Mar-09 / Initial release


Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in Aruba
Networks products, obtaining assistance with security incidents is
available at:

http://www.arubanetworks.com/support-services/security-bulletins/


For reporting *NEW* Aruba Networks security issues, email can be sent
to aruba-sirt(at)hpe.com. For sensitive information we encourage the
use of PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/


(c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company.
This advisory may be redistributed freely after the release date  given
at the top of the text, provided  that  the  redistributed  copies  are
complete and unmodified, including all data and version information.

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================