Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN821 _____________________________________________________________________ DATE : 20/11/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running HPE Aruba Networking AOS-CXS Software, HPE Aruba Networking 100 Series Cellular Bridge firmware, HPE Aruba Networking Management Software (AirWave). ===================================================================== https://csaf.arubanetworking.hpe.com/2025/hpe_aruba_networking_-_hpesbnw04888.txt https://csaf.arubanetworks.com/2025/hpe_aruba_networking_-_hpesbnw04970.txt https://csaf.arubanetworks.com/2025/hpe_aruba_networking_-_hpesbnw04971.txt _____________________________________________________________________ HPE Aruba Networking Product Security Advisory ============================================= Advisory ID: HPESBNW04888 CVE: CVE-2025-37155, CVE-2025-37156, CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, CVE-2025-37157, CVE-2025-37158, CVE-2025-26466, CVE-2025-37159, CVE-2025-37160 Publication Date: 2025-Nov-18 Status: Confirmed Severity: High Revision: 1 Title ===== HPE Aruba Networking AOS-CX, Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released AOS-CX software patches to address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking AOS-CX Software Version(s): - AOS-CX 10.16.xxxx: 10.16.1000 and below - AOS-CX 10.15.xxxx: 10.15.1020 and below - AOS-CX 10.14.xxxx: 10.14.1050 and below - AOS-CX 10.13.xxxx: 10.13.1090 and below - AOS-CX 10.10.xxxx: 10.10.1160 and below Software versions of AOS-CX that are End of Support at the time of publication of this security advisory are expected to be affected by these vulnerabilities unless otherwise indicated. Unaffected Products ================= Any other supported AOS-CX software versions not listed under the Affected Products section of this advisory are not known to be affected by the disclosed vulnerabilities. Details ====== Authenticated Privilege Escalation Allows Unauthorized Access in Network Management Interface (CVE-2025-37155) - --------------------------------------------------------------------- A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system. Internal References: ATLAX-106 Severity: High CVSS v3.1 Base Score: 7.8 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Angelo Catalani and Giacomo Gloria from Italian National Cybersecurity Agency (ACN) to HPE Aruba Networking SIRT. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. ArubaOS-CX Platform-Level Denial-of-Service Vulnerability (CVE-2025-37156) - --------------------------------------------------------------------- A platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional. Internal References: ATLAX-85 Severity: Medium CVSS v3.1 Base Score: 6.8 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Nicholas Starke from HPE Aruba Networking SIRT. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Multiple Vulnerabilities in Rsync Daemon allow for Remote Code Execution, Directory Traversal, and Sensitive Information Disclosure (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747) - --------------------------------------------------------------------- Rsync, a versatile file-synchronizing tool, contains six vulnerabilities present within versions 3.3.0 and below. Rsync can be used to sync files between remote and local computers, as well as storage devices. The discovered vulnerabilities include heap-buffer overflow, information leak, file leak, external directory file-write, safe-links bypass, and symbolic-link race condition. Internal References: ATLAX-89 Severity: Medium CVSS v3.1 Base Score: 6.7 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and disclosed by Simon Scannel, Pedro Gallegos, and Jasiel Spelman from Google Cloud Vulnerability Research, and Aleksei Gorban. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Note: The Rsync vulnerabilities listed above are reported according to the public information found in the NVD. Despite being included in all AOS-CX platforms, the potential for exploitation of Rsync in these platforms is very low. As this is a component of the underlying operating system, the only risk for exploitation on most deployments of AOS-CX would stem from an administrator user that starts a shell in the underlying OS and runs Rsync directly. For AOS-CX VSF deployments, exploitation is limited to attacks that leverage physical access to a vulnerable device. Authenticated Command Injection allows Unauthorized Command Execution in AOS-CX (CVE-2025-37157, CVE-2025-37158) - --------------------------------------------------------------------- A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system. Internal References: ATLAX-96, ATLAX-98 Severity: Medium CVSS v3.1 Base Score: 6.7 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by zzcentury from Ubisectech Sirius Team through HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Denial-of-Service (DoS) attack against OpenSSH's client and server (CVE-2025-26466) - --------------------------------------------------------------------- The OpenSSH client and server are vulnerable to a pre-authentication denial-of-service attack: an asymmetric resource consumption of both memory and CPU. This vulnerability was introduced in August 2023 (shortly before OpenSSH 9.5p1) by commit dce6d80 ("Introduce a transport-level ping facility"). Internal References: ATLAX-102 Severity: Medium CVSS v3.1 Base Score: 5.9 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and disclosed by Qualys Threat Research Unit (TRU). Please refer to the link below for additional details: https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Authenticated Session Hijacking Allows Unauthorized Access in Network Switching Software (CVE-2025-37159) - --------------------------------------------------------------------- A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data. Internal References: ATLAX-97 Severity: Medium CVSS v3.1 Base Score: 5.8 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by 0x50d through HPE Aruba Networking's Bug Bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends to temporarily disable the web management interface until the permanent fix is applied. Authenticated Broken Access Control (BAC) in REST API Configuration Service (CVE-2024-37160) - --------------------------------------------------------------------- A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data. Internal References: ATLAX-79 Severity: Medium CVSS v3.1 Base Score: 5.3 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Discovery: This vulnerability was discovered and reported by dugisan3rd from Farzul Nizam through HPE Aruba Networking's Bug Bounty Program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Resolution ========== To address the vulnerabilities described above in the affected software branches, it is recommended to upgrade HPE Aruba Networking AOS-CX to one of the following versions (as applicable): - AOS-CX 10.16.xxxx: AOS-CX 10.16.1006 and above - AOS-CX 10.15.xxxx: AOS-CX 10.15.1030 and above - AOS-CX 10.14.xxxx: AOS-CX 10.14.1060 and above - AOS-CX 10.13.xxxx: AOS-CX 10.13.1101 and above - AOS-CX 10.10.xxxx: AOS-CX 10.10.1170 and above Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking End of Life policy please visit: https://www.hpe.com/psnow/doc/a00143052enw Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking - for assistance if needed. Please visit HPE Aruba Networking Support Portal for more information: https://networkingsupport.hpe.com/home HPE Aruba Networking AOS-CX Security Hardening =========================================== For general information on hardening HPE Aruba Networking AOS-CX switches against security threats please refer to the HPE Aruba Networking AOS-CX Security Hardening Guides for your specific switch model and version of AOS-CX. The guides can be found at the following link: https://arubanetworking.hpe.com/techdocs/AOS-CX/help_portal/Content/home.htm Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory, except for the Rsync vulnerabilities (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747) which have already been publicly disclosed through the VINCE CERT Coordination Center and the OpenSSH vulnerability CVE-2025-26466 which have also already been publicly disclosed by RedHat and it is available at https://access.redhat.com/security/cve/CVE-2025-26466. Scoring for public CVEs that have already been disclosed is based on generally accepted NVD scores. The scores of these publicly disclosed vulnerabilities do not scrutinize the difference in attack conditions present in AOS-CX, which severely mitigate the likelihood of their exploitation as mentioned in the Affected Product section. More information can be found at: https://www.kb.cert.org/vuls/id/952657 Revision History ================ Revision 1 / 2025-Nov-18/ Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt@hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. _____________________________________________________________________ HPE Aruba Networking Product Security Advisory ============================================= Advisory ID: HPESBNW04970 CVE: CVE-2025-37161, CVE-2025-37162 Publication Date: 2025-NOV-18 Status: Confirmed Severity: High Revision: 1 Title ===== HPE Aruba Networking 100 Series Cellular Bridge, Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released software updates for the 100 Series Cellular Bridge that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking 100 Series Cellular Bridge version(s): - - AOS-10.7.1.x: 10.7.1.1 and below HPE Aruba Networking bridge software versions that are end of maintenance are affected by these vulnerabilities unless otherwise indicated. Unaffected Products ================= Any other HPE Aruba Networking products and software versions not specifically listed above are not affected by these vulnerabilities. Details ======= Unauthenticated Remote Denial-of-Service (DoS) Vulnerability in Web Management Interface (CVE-2025-37161) - ----------------------------------------------------------------- A vulnerability in the web-based management interface of affected products could allow an unauthenticated remote attacker to cause a denial of service. Successful exploitation could allow an attacker to crash the system, preventing it from rebooting without manual intervention and disrupting network operations. Internal References: ATLWL-555 Severity: High CVSS v3.1 Base Score: 7.5 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Nicholas Starke from HPE Aruba Networking SIRT. Authenticated Command Injection Vulnerability Leading to Arbitrary Remote Command Execution (CVE-2025-37162) - ----------------------------------------------------------------- A vulnerability in the command line interface of affected devices could allow an authenticated remote attacker to conduct a command injection attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. Internal References: ATLWL-551, ATLWL-554 Severity: Medium CVSS v3.1 Base Score: 6.5 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Nicholas Starke from HPE Aruba Networking SIRT. Resolution ========== To remediate the vulnerabilities described in the Details section above, upgrade the HPE Aruba Networking 100 Series Cellular Bridge firmware to the applicable version shown below: - - AOS-10.7.2.0 and above Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking End of Life policy please visit: https://www.hpe.com/psnow/doc/a00143052enw Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code that targets the vulnerabilities listed as of the release date of this advisory. Revision History ================ Revision 1 / 2025-NOV-18/ Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt@hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. _____________________________________________________________________ HPE Aruba Networking Product Security Advisory =============================== Advisory ID: HPESBNW04971 CVE: CVE-2025-37163, CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747 Publication Date: 2025-Nov-18 Status: Confirmed Severity: High Revision: 1 Title ===== HPE Aruba Networking Management Software (AirWave), Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released a software update for the HPE Aruba Networking Management Software (AirWave) that addresses multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking Management Software (AirWave) - 8.3.0.4 and below Unaffected Products =================== All other HPE Aruba Networking products and software versions not explicitly listed above are not affected by the vulnerabilities described in the Details section below. Details ======= Authenticated Command Injection Vulnerability in HPE Aruba Networking Management Software (AirWave) CLI (CVE-2025-37163) - --------------------------------------------------------------------- A command injection vulnerability has been identified in the command line interface of the HPE Aruba Networking Airwave Platform. An authenticated attacker could exploit this vulnerability to execute arbitrary operating system commands with elevated privileges on the underlying operating system. Internal References: ATLAW-205 Severity: High CVSS v3.1 Base Score: 7.2 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerabilty was discovered and reported by Michael "Smolli" Smolinski through HPE Aruba Networking SIRT. Workaround: None. Multiple Vulnerabilities in Rsync Daemon allow for Remote Code Execution, Directory Traversal, and Sensitive Information Disclosure (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747) - --------------------------------------------------------------------- Rsync, a versatile file-synchronizing tool, contains six vulnerabilities present within versions 3.3.0 and below. Rsync can be used to sync files between remote and local computers, as well as storage devices. The discovered vulnerabilities include heap-buffer overflow, information leak, file leak, external directory file-write,?safe-links bypass, and symbolic-link race condition. Internal References: ATLAW-204 Severity: Medium CVSS v3.1 Base Score: 6.7 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Discovery: Simon Scannel, Pedro Gallegos, and Jasiel Spelman from Google Cloud Vulnerability Research, and Aleksei Gorban. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Note: The Rsync vulnerabilities listed above are reported according to the public information found in the NVD. Resolution ========== Upgrade the HPE Aruba Networking Management Software (AirWave) to the version listed below to resolve the vulnerabilities described in the Details section above: - Airwave 8.3.0.5 and above The software version containing fixes for the vulnerabilities described above is available for download from the HPE Networking Support Portal: https://networkingsupport.hpe.com/home/ Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking for assistance if needed. For more information, please visit HPE Aruba Networking Support Portal at https://networkingsupport.hpe.com/home Exploitation and Public Discussion ================================== Except for the Rsync vulnerabilities (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747), which have already been publicly disclosed through the VINCE CERT Coordination Center, HPE Aruba Networking is not aware of any public discussion or exploit code targeting the vulnerabilities described in this advisory. Additionally, as of the advisory?s release date, HPE Aruba Networking has no evidence of tools or techniques actively exploiting these vulnerabilities in HPE Aruba Networking Management Software (AirWave) or in any other HPE Aruba Networking products. More information can be found at: https://www.kb.cert.org/vuls/id/952657 Revision History ================ Revision 1 / 2025-Nov-18 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================