===================================================================== CERT-Renater Note d'Information No. 2023/VULN274 _____________________________________________________________________ DATE : 30/08/2023 HARDWARE PLATFORM(S): Aruba Series Switches. OPERATING SYSTEM(S): ArubaOS-Switch. ===================================================================== https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-013.txt _____________________________________________________________________ HPE Aruba Networking Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2023-013 CVE: CVE-2023-39266, CVE-2023-39267, CVE-2023-39268 Publication Date: 2023-Aug-29 Status: Confirmed Severity: High Revision: 1 Title ===== ArubaOS-Switch Switches Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released updates for wired switching products running ArubaOS-Switch that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking Switch Models: - Aruba 5400R Series Switches - Aruba 3810 Series Switches - Aruba 2920 Series Switches - Aruba 2930F Series Switches - Aruba 2930M Series Switches - Aruba 2530 Series Switches - Aruba 2540 Series Switches Software Branch Versions: - ArubaOS-Switch 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0012 and below. - ArubaOS-Switch 16.10.xxxx: KB/WC/YA/YB/YC.16.10.0025 and below. - ArubaOS-Switch 16.10.xxxx: WB.16.10.23 and below. - ArubaOS-Switch 16.09.xxxx: All versions. - ArubaOS-Switch 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0026 and below. - ArubaOS-Switch 16.07.xxxx: All versions. - ArubaOS-Switch 16.06.xxxx: All versions. - ArubaOS-Switch 16.05.xxxx: All versions. - ArubaOS-Switch 16.04.xxxx: KA/RA.16.04.0026 and below. - ArubaOS-Switch 16.03.xxxx: All versions. - ArubaOS-Switch 16.02.xxxx: All versions. - ArubaOS-Switch 16.01.xxxx: All versions. - ArubaOS-Switch 15.xx.xxxx: 15.16.0025 and below. Unaffected Products =================== Any other HPE Aruba Networking products not listed above including AOS-CX Switches, Aruba Intelligent Edge Switches, and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Unauthenticated Stored Cross-Site Scripting in ArubaOS-Switch (CVE-2023-39266) --------------------------------------------------------------------- A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. Internal Reference: APVOS-13 Severity: High CVSSv3 Overall Score: 8.3 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Ken Pyle - Partner and Exploit Developer, CYBIR and Graduate Professor of Cybersecurity at Chestnut Hill College Workaround: With configuration changes, such as setting an operator password on the switch and enforcing the use of HTTPS prevents this attack. Please see the ArubaOS-Switch hardening guide at https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us for details. Additionally, disabling the web management interface prevents this attack. Contact HPE Services - Aruba Networking TAC for any configuration Assistance. Authenticated Denial of Service Vulnerability in ArubaOS-Switch Command Line Interface (CVE-2023-39267) --------------------------------------------------------------------- An authenticated remote code execution vulnerability exists in the command line interface in ArubaOS-Switch. Successful exploitation results in a Denial-of-Service (DoS) condition in the switch. Internal reference: APVOS-18 Severity: Medium CVSSv3 Overall Score: 6.6 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:L Discovery: This vulnerability was discovered by Lino Mirgeler of DTS Systeme GmbH Memory Corruption Vulnerability in ArubaOS-Switch (CVE-2023-39268) -------------------------------------------------------------- A memory corruption vulnerability in ArubaOS-Switch could lead to unauthenticated remote code execution by receiving specially crafted packets. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: APVOS-17 Severity: Medium CVSSv3 Overall Score: 4.5 CVSS Vector: CVSSv3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Ken Pyle - Partner and Exploit Developer, CYBIR and Graduate Professor of Cybersecurity at Chestnut Hill College. Resolution ========== To address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions: - - - ArubaOS-Switch 16.11.xxxx: KB/WC/YA/YB/YC.16.11.0013 and above. - - - ArubaOS-Switch 16.10.xxxx: WB.16.10.0024 and above. - - - ArubaOS-Switch 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0027 and above. - - - ArubaOS-Switch 16.04.xxxx: KA/RA.16.04.0027 and above. - - - ArubaOS-Switch 15.xx.xxxx: A.15.16.0026 and above. Note: 16.10.xxxx:KB/WC/YA/YB/YC will not receive fixes for these vulnerabilities. Upgrading to KB/WC/YA/YB/YC.16.11.0013 and above will address these vulnerabilities. The software versions listed in the Resolution section are the supported branches as of the publication date of this advisory. Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Contact HPE Services - Aruba Networking TAC for any configuration assistance. ArubaOS-Switch Hardening Guide ===================== For general information on hardening ArubaOS-Switch devices against security threats please see the ArubaOS-Switch Access Security Guide available at https://support.hpe.com/hpesc/public/docDisplay?docId=a00056155en_us Exploitation and Public Discussion ================================== CVE-2023-39266 has been publicly disclosed. More information can be found at: https://cybir.com/2022/cve/layer7mattersatlayer2-coolhandluke/ HPE Aruba Networking is not aware of any public discussion or exploit code that target the other vulnerabilities in this advisory as of the publishing date of the advisory. Revision History ================ Revision 1 / 2023-Aug-29 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2023 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================