www.belgium.be Logo of the federal government

Warning: Multiple vulnerabilities in Aruba products including Arbitrary Code Execution, Patch Immediately!

Reference: 
Advisory #2023-54
Version: 
1.0
Affected software: 
Access Points running InstantOS and ArubaOS 10
ArubaOS 10.3.x: 10.3.1.0 and below
Aruba InstantOS 8.10.x: 8.10.0.4 and below
Aruba InstantOS 8.6.x: 8.6.0.19 and below
Aruba InstantOS 6.5.x: 6.5.4.23 and below
Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below
Aruba InstantOS 8.9.x: all (End-of-life)
Aruba InstantOS 8.8.x: all (End-of-life)
Aruba InstantOS 8.7.x: all (End-of-life)
Aruba InstantOS 8.5.x: all (End-of-life)
Aruba InstantOS 8.4.x: all (End-of-life)
CVE/CVSS: 
CVE-2023-22779 CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-22787 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2023-22788 CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-22791 CVSS: 5.4 (CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)

Sources

Aruba Networks: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt

Risks

ArubaOS and InstantOS are affected by multiple vulnerabilities including critical unauthenticated buffer overflows, that can lead to unauthenticated remote code execution. Additionally, products are affected by unauthenticated Denial of Service, authenticated Remote Code execution and sensitive Information disclosure vulnerabilities.

The vendor has patched most affected systems, but warns that there is no patch available for End-of-Life (EOL) systems. At the moment of writing, there Is no Indication of exploitation In the wild.

Description

CVE-2023-22779 and more - Unauthenticated Buffer Overflow Vulnerabilities

The vulnerabilities affect multiple underlying services accessed by the PAPI (Aruba's access point management protocol). Therefore the different CVEs created describe the same vulnerability (CVE-2023-22779, CVE-2023-22780, CVE-2023-22781, CVE-2023-22782, CVE-2023-22783, CVE-2023-22784, CVE-2023-22785, CVE-2023-22786).

By sending specially crafted packets destined to the PAPI UDP port (8211), an unauthenticated attacker can execute arbitrary code as a privileged user on the underlying operating system.

CVE-2023-22787 - Unauthenticated Denial of Service Vulnerability

The vulnerability exists in a service accessed via the PAPI protocol and results in the ability to interrupt the normal operation of the affected access point.

CVE-2023-22788 - Authenticated Remote Command Execution Vulnerabilities

By exploiting these vulnerabilities, an authenticated attacker can execute arbitrary commands as a privileged user on the underlying operating system. CVEs include: CVE-2023-22788, CVE-2023-22789, CVE-2023-22790.

CVE-2023-22791 - Sensitive Information Disclosure Vulnerability

This vulnerability is complicated to exploit as it has 3 requirements and depends on factors not controlled by the attacker. A specific network configuration and WLAN environment can lead to sensitive information disclosure via the WLAN, if the attacker already possesses valid credentials.

Recommended Actions

The Centre for Cybersecurity Belgium strongly recommends network administrators to patch the identified vulnerable products in their environment and replace any EOL products, after thorough testing. Follow the vendors instructions.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-22779
https://nvd.nist.gov/vuln/detail/CVE-2023-22787
https://nvd.nist.gov/vuln/detail/CVE-2023-22788
https://nvd.nist.gov/vuln/detail/CVE-2023-22791