Multiple Vulnerabilities in ArubaNetworks ArubaOS and SD-WAN Could Allow for Arbitrary Code Execution

by CIRT Team

31 Dec 2020

in Security Advisories & Alerts

No Comments

1157

SUBJECT
Multiple Vulnerabilities in ArubaNetworks ArubaOS and SD-WAN Could Allow for Arbitrary Code Execution

DESCRIPTION
Multiple vulnerabilities have been discovered in ArubaNetwork’s ArubaOS and SD-WAN, which could result in arbitrary code execution. Aruba (a Hewlett Packard Enterprise company) is the worldwide second-largest enterprise WLAN vendor after Cisco. ArubaOS is its WLAN controller system for automating WLAN management, and SD-WAN (software defined WAN) is its cloud-oriented WAN orchestration system.

The vulnerabilities are as follows:
* Buffer overflow caused by specially crafted packets sent to the PAPI (Process API, Aruba’s access point management protocol) on UDP port 8211 of access points or controllers. [CVE-2020-24633]
* Unauthenticated remote command injection caused by specially crafted packets sent to the PAPI (Process API, Aruba’s access point management protocol) on UDP port 8211 of access points or controllers. [CVE-2020-24634]

IMPACT
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context of the user running the application.

SYSTEM AFFECTED
Buffer Overflow (CVE-2020-24633):
    * ArubaOS 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below
    * SD-WAN 2.1.0.1, 2.2.0.0 and below

Unauthenticated Remote Command Injection (CVE-2020-24634):
    * ArubaOS 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below
    * SD-WAN 2.1.0.1, 2.2.0.0 and below

RECOMMENDATIONS
The following actions are recommended:
* Apply the patches released by Aruba and upgrade software where applicable.
* Restrict communications between Controllers/Gateways via VLANs and/or firewall policies.
* Block external access at the network boundary and if possible, restrict server access to trusted hosts only.
* Apply the Principle of Least Privilege to all systems and services; run all software as a nonprivileged user with minimal access rights.
* Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.

REFERENCES
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-012.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24634