Vulnerabilities in ArubaNetworks ArubaOS and SD-WAN Could Allow for Arbitrary Code Execution

DESCRIPTION:
Multiple vulnerabilities have been discovered in ArubaNetwork’s ArubaOS
and SD-WAN, which could result in arbitrary code execution. Aruba (a
Hewlett Packard Enterprise company) is the worldwide second-largest
enterprise WLAN vendor after Cisco. ArubaOS is its WLAN controller
system for automating WLAN management, and SD-WAN (software defined WAN)
is its cloud-oriented WAN orchestration system. Successful exploitation
of these vulnerabilities could allow an attacker to execute arbitrary
code in context of the user running the application.

IMPACT:
Multiple vulnerabilities have been discovered in ArubaNetwork’s ArubaOS
and SD-WAN, which could result in arbitrary code execution. The
vulnerabilities are as follows:

* Buffer overflow caused by specially crafted packets sent to the PAPI
(Process API, Aruba’s access point management protocol) on UDP port 8211
of access points or controllers. [CVE-2020-24633]
* Unauthenticated remote command injection caused by specially crafted
packets sent to the PAPI (Process API, Aruba’s access point management
protocol) on UDP port 8211 of access points or controllers. [CVE-2020-24634]

An attacker can exploit these vulnerabilities to run arbitrary commands
in the context of the user running the application. Due to the central
location of the attack targets, an attacker could use a successful
exploit as a foothold to pivot through the network and/or set up
interception attacks (e.g. Man in the Middle) with their control over
the WLAN/WAN.

SYSTEM AFFECTED:
Buffer Overflow (CVE-2020-24633):
* ArubaOS 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5,
8.7.0.0 and below
* SD-WAN 2.1.0.1, 2.2.0.0 and below

Unauthenticated Remote Command Injection (CVE-2020-24634):
* ArubaOS 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below
* SD-WAN 2.1.0.1, 2.2.0.0 and below

RECOMMENDATIONS:
We recommend the following actions be taken:
* Apply the patches released by Aruba and upgrade software where applicable.
* Restrict communications between Controllers/Gateways via VLANs and/or
firewall policies.
* Block external access at the network boundary and if possible,
restrict server access to trusted hosts only.
* Apply the Principle of Least Privilege to all systems and services;
run all software as a nonprivileged user with minimal access rights.
* Deploy NIDS to monitor network traffic for signs of anomalous or
suspicious activity. This includes but is not limited to requests that
include NOP sleds and unexplained incoming and outgoing traffic. This
may indicate exploit attempts or activity that results from successful
exploits.

REFERENCES:
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-012.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24634

Share