HPE ArubaOS – Multiple Remote Vulnerabilities [CVE-2020-24633, CVE-2020-24634, CVE-2020-10713, CVE-2020-24637]

CVE numbers – CVE-2020-24633, CVE-2020-24634, CVE-2020-10713, CVE-2020-24637

Aruba has released patches for ArubaOS that address multiple security vulnerabilities.

Buffer Overflow Vulnerabilities in the PAPI protocol (CVE-2020-24633)

There are multiple buffer overflow vulnerabilities that could lead
to unauthenticated remote code execution by sending especially
crafted packets destined to the PAPI (Aruba Networks AP
management protocol) UDP port (8211) of access-points or
controllers.

Internal references: ATLWL-87, ATLWL-150, ATLWL-151, ATLWL-152,
ATLWL-153, ATLWL-154, ATLWL-155, ATLWL-156
Severity: Critical
CVSSv3 Overall Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Discovery: These vulnerabilities were discovered and reported by
Erik de Jong (bugcrowd.com/erikdejong) via Aruba’s Bug Bounty
Program

Affected Versions:
ArubaOS 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5,
8.7.0.0 and below
SD-WAN 2.1.0.1, 2.2.0.0 and below

Resolution:
ArubaOS 6.4.4.24, 6.5.4.18, 8.2.2.10, 8.3.0.14, 8.5.0.11, 8.6.0.6,
8.7.1.0 and above
SD-WAN 2.1.0.2, 2.2.0.1 and above

Unauthenticated Remote Command Injection Vulnerability (CVE-2020-24634)

An attacker is able to remotely inject arbitrary commands by
sending especially crafted packets destined to the PAPI (Aruba
Networks AP Management protocol) UDP port (8211) of access-points
or controllers.

Internal reference: ATLWL-84, ATLWL-144, ATLWL-149
Severity: Critical
CVSSv3 Overall Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Discovery: These vulnerabilities were discovered and reported by
Erik de Jong (bugcrowd.com/erikdejong) via Aruba’s Bug Bounty
Program

Affected Versions:
ArubaOS 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below
SD-WAN 2.1.0.1, 2.2.0.0 and below

Resolution:
ArubaOS 8.2.2.10, 8.3.0.14, 8.5.0.11, 8.6.0.6, 8.7.1.0 and above
SD-WAN 2.1.0.2, 2.2.0.1 and above

Secureboot Bypass vulnerability in 90xx series gateways (CVE-2020-10713, CVE-2020-24637)

Two vulnerabilities in ArubaOS GRUB2 implementation allows for an
attacker to bypass secureboot. Successful exploitation of this
vulnerability this could lead to remote compromise of system
integrity by allowing an attacker to load an untrusted or modified
kernel.

Internal references: ATLWL-133, ATLWL-159
Severity: High
CVSSv3 Overall Score: 8.0
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Discovery: CVE-2020-10713 aka: BootHole vulnerability has been
discovered and published by Eclypsium researchers Mickey Shkatov &
Jesse Michael.

CVE-2020-24637 has been discovered by Nicholas Starke of Aruba
Threat Labs

Affected Versions:
ArubaOS 8.5.0.10, 8.6.0.5, 8.7.0.0 and below
SD-WAN 2.1.0.1, 2.2.0.0 and below

Resolution:
ArubaOS 8.5.0.11, 8.6.0.6, 8.7.1.0 and above
SD-WAN 2.1.0.2, 2.2.0.1 and above

Workarounds

In order to minimize the likelihood of an attacker to exploit these vulnerabilities, Aruba recommends that the communication between Controller/ Gateways and Access-Points to be restricted either by having a dedicated layer 2 segment/ VLAN or, if Controller / Gateways and Access-Points cross layer 3 boundaries, to have firewall policies restricting the communication of these authorized devices. Also, enabling the Enhanced PAPI Security feature will prevent the vulnerabilities above from being exploited. Contact Aruba Support for configuration assistance.References:

• CVE-2020-10713
• CVE-2020-24633
• CVE-2020-24634
• CVE-2020-24637