Multiple Vulnerabilities in ArubaNetworks ArubaOS and SD-WAN Could Allow for Arbitrary Code Execution
MS-ISAC ADVISORY NUMBER:2020-172
Multiple vulnerabilities have been discovered in ArubaNetwork’s ArubaOS and SD-WAN, which could result in arbitrary code execution. Aruba (a Hewlett Packard Enterprise company) is the worldwide second-largest enterprise WLAN vendor after Cisco. ArubaOS is its WLAN controller system for automating WLAN management, and SD-WAN (software defined WAN) is its cloud-oriented WAN orchestration system. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context of the user running the application.
There are currently no reports of these vulnerabilities being exploited in the wild. The vulnerabilities were discovered by a researcher via Aruba’s bug bounty program.
- ArubaOS 188.8.131.52
- ArubaOS 184.108.40.206
- ArubaOS 220.127.116.11
- ArubaOS 18.104.22.168
- ArubaOS 22.214.171.124
- ArubaOS 126.96.36.199
- ArubaOS 188.8.131.52
- SD-WAN 184.108.40.206
- SD-WAN 220.127.116.11
- All Previous Versions
- Large and medium government entities: HIGH
- Small government entities: MEDIUM
- Large and medium business entities: HIGH
- Small business entities: MEDIUM
Multiple vulnerabilities have been discovered in ArubaNetwork’s ArubaOS and SD-WAN, which could result in arbitrary code execution. The vulnerabilities are as follows:
- Buffer overflow caused by specially crafted packets sent to the PAPI (Process API, Aruba’s access point management protocol) on UDP port 8211 of access points or controllers. [CVE-2020-24633]
- Unauthenticated remote command injection caused by specially crafted packets sent to the PAPI (Process API, Aruba’s access point management protocol) on UDP port 8211 of access points or controllers. [CVE-2020-24634]
An attacker can exploit these vulnerabilities to run arbitrary commands in the context of the user running the application. Due to the central location of the attack targets, an attacker could use a successful exploit as a foothold to pivot through the network and/or set up interception attacks (e.g. Man in the Middle) with their control over the WLAN/WAN.
We recommend the following actions be taken:
- Apply the patches released by Aruba and upgrade software where applicable.
- Restrict communications between Controllers/Gateways via VLANs and/or firewall policies.
- Block external access at the network boundary and if possible, restrict server access to trusted hosts only.
- Apply the Principle of Least Privilege to all systems and services; run all software as a nonprivileged user with minimal access rights.
- Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.