Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN585
_____________________________________________________________________

DATE                : 03/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): ArubaOS-CX versions prior to 10.16.1010,
                       10.15.1010, 10.13.1090, 10.10.1160.

=====================================================================
https://csaf.arubanetworking.hpe.com/2026/hpe_aruba_networking_-_hpesbnw05062.txt
_____________________________________________________________________

HPE Aruba Networking Product Security Advisory
========================================
Advisory ID: HPESBNW05062
CVE: CVE-2024-39894
Publication Date: 2026-JUN-02
Status: FINAL
Severity: High
Revision: 1
 
 
Title
====
OpenSSH Keystroke Obfuscation Bypass in HPE Aruba Networking 
ArubaOS-CX Switches.  

Overview
========
A vulnerability in OpenSSH's ObscureKeystrokeTiming feature 
(introduced in version 9.5) renders its keystroke timing 
obfuscation ineffective due to a logic error. This may allow 
attackers to observe keystroke timing patterns despite the 
feature being enabled by default.
 
 
Affected Products
===============
HPE Aruba Networking ArubaOS-CX Switches
  - 10.16.1000 and below
  - 10.15.0005 and below
  - 10.13.1080 and below
  - 10.10.1150 and below
     
Product software versions that have reached End of 
Maintenance (EoM) are presumed to be affected by this 
vulnerability unless explicitly stated otherwise, and are 
not covered by this security advisory.


Unaffected Products
=================
Any other HPE Aruba Networking products and software 
versions not specifically listed above are not affected 
by the OpenSSH Keystroke Obfuscation Bypass vulnerability.

Details
======

OpenSSH Keystroke Obfuscation Bypass 
(CVE-2024-39894)
- ------------------------------------------------------------
  A vulnerability in OpenSSH 9.5 through 9.7 before 9.8 
  sometimes allows timing attacks against echo-off password 
  entry (e.g., for su and Sudo) because of an 
  ObscureKeystrokeTiming logic error. Similarly, other 
  timing attacks against keystroke entry could occur.

  Internal References: VULN-57
  Severity: High
  CVSS v3.1 Base Score: 7.5
  CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

  Discovery: This vulnerability was discovered and reported 
  by Philippos Giavridis, Jacky Wei En Kung, Daniel 
  Hugenroth and Alastair Beresford (University of Cambridge)


Resolution
=========
HPE Aruba Networking ArubaOS-CX Switches
  - ArubaOS-CX 10.16.xxxx: 10.16.1010 and above
  - ArubaOS-CX 10.15.xxxx: 10.15.1010 and above 
  - ArubaOS-CX 10.13.xxxx: 10.13.1090 and above 
  - ArubaOS-CX 10.10.xxxx: 10.10.1160 and above

Software versions with resolution/fixes for the 
Vulnerability covered above can be downloaded 
from the HPE Networking Support Portal at 
https://networkingsupport.hpe.com/home/
 
HPE Aruba Networking does not evaluate or patch software 
branches that have reached their End of Maintenance (EoM) 
milestone. For more information about HPE Aruba Networking 
End of Life policy please visit: 
https://www.hpe.com/psnow/doc/a00143052enw


Workaround
==========
To minimize the likelihood of an attacker exploiting this
vulnerability, HPE Aruba Networking recommends that access 
to the SSH port on impacted devices be restricted to a 
dedicated layer 2 segment/VLAN and/or controlled by firewall 
policies at layer 3 and above.


Exploitation and Public Discussion
============================
This CVE has been widely discussed in public. Additional 
details about this vulnerability is available at 
https://www.freebsd.org/security/advisories/FreeBSD-SA-25:01.openssh.asc.
At this time, HPE Aruba Networking is not aware of any 
publicly available exploitation tools or techniques that 
specifically target HPE Aruba Networking products.
 
 
Revision History
=============
Revision 1 / 2026-JUN-02 / Initial release

 
HPE Aruba Networking SIRT Security Procedures
=======================================
Complete information on reporting security vulnerabilities in 
HPE Aruba Networking products and obtaining assistance with 
security incidents is available at:
http://www.hpe.com/support/security-response-policy

For reporting NEW HPE Aruba Networking security issues, 
email can be sent to networking-sirt@hpe.com. For sensitive 
information we encourage the use of PGP encryption. Our 
public keys can be found at: 
https://www.hpe.com/info/psrt-pgp-key 

(c) Copyright 2026 by Hewlett Packard Enterprise Development LP. 
This advisory may be redistributed freely after the release date 
given at the top of the text, provided that the redistributed 
copies are complete and unmodified, including all data and 
version information


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================