CVE-2022-23677

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-008 CVE: CVE-2022-23676, CVE-2022-23677 Publication Date: 2022-May-03 Status: Confirmed Severity: Critical Revision: 1 Title ===== Heap Overflow Vulnerabilities Within ArubaOS-Switch Devices Overview ======== The Armis Research Team has discovered multiple heap overflow vulnerabilities with various networking vendors. ArubaOS-Switch devices are affected by these vulnerabilities in the affected versions. Exploitation of these vulnerabilities allow for attackers to execute arbitrary code on the affected device. More information about these vulnerabilities can be found at: https://www.armis.com/research/tlstorm/ Affected Products ================= Customers using the following switch models and firmware versions are affected by the vulnerabilities listed in this advisory. Aruba Switch Models: - Aruba 5400R Series Switches - Aruba 3810 Series Switches - Aruba 2920 Series Switches - Aruba 2930F Series Switches - Aruba 2930M Series Switches - Aruba 2530 Series Switches - Aruba 2540 Series Switches Software branch versions: - ArubaOS-Switch 15.xx.xxxx: All versions. - ArubaOS-Switch 16.01.xxxx: All versions. - ArubaOS-Switch 16.02.xxxx: K.16.02.0033 and below. - ArubaOS-Switch 16.03.xxxx: All versions. - ArubaOS-Switch 16.04.xxxx: All versions. - ArubaOS-Switch 16.05.xxxx: All versions. - ArubaOS-Switch 16.06.xxxx: All versions. - ArubaOS-Switch 16.07.xxxx: All versions. - ArubaOS-Switch 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0024 and below. - ArubaOS-Switch 16.09.xxxx: KB/WB/WC/YA/YB/YC.16.09.0019 and below. - ArubaOS-Switch 16.10.xxxx: KB/WB/WC/YA/YB/YC.16.10.0019 and below. - ArubaOS-Switch 16.11.xxxx: KB/WB/WC/YA/YB/YC.16.11.0003 and below. Unaffected Products =================== Any other Aruba products not listed above, including other models of ArubaOS-Switches, ArubaOS-CX Switches, Aruba Intelligent Edge Switches and HPE OfficeConnect Switches are not affected by these vulnerabilities. Details ======= Heap Overflow Vulnerabilities in RADIUS EAP Messages (CVE-2022-23676) ==================================================== Multiple heap overflow vulnerabilities have been discovered in the ArubaOS-Switch firmware. Successful exploitation of these vulnerabilities could result in the ability to execute arbitrary code. Exploitation of these vulnerabilities requires the interaction of an affected switch with an attacker controlled source of RADIUS access challenge messages. Because of this, exploitation of these vulnerabilities would most likely occur as part of an attack chain building upon previous exploitation of customer controlled infrastructure. Internal reference: APVOS-14 Severity: Critical CVSSv3.1 Overall Score: 9.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Resolution: - ArubaOS-Switch 15.16.xxxx: Version still pending. This advisory will be updated. - ArubaOS-Switch 16.02.xxxx: K.16.02.0034 and above. - ArubaOS-Switch 16.04.xxxx: Version still pending. This advisory will be updated. - ArubaOS-Switch 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0025 and above. - ArubaOS-Switch 16.09.xxxx: KB/WB/WC/YA/YB/YC.16.09.0020 and above. - ArubaOS-Switch 16.10.xxxx: KB/WB/WC/YA/YB/YC.16.10.0020 and above. - ArubaOS-Switch 16.11.xxxx: KB/WB/WC/YA/YB/YC.16.11.0004 and above. Heap Overflow Vulnerabilities in Mocana Cryptographic Library (CVE-2022-23677) ============================================================= Multiple heap overflow vulnerabilities related to the Mocana cryptographic library have been discovered in the ArubaOS-Switch firmware. Successful exploitation of these vulnerabilities could result in the ability to execute arbitrary code. Exploitation of these vulnerabilities requires the interaction of an affected switch with an attacker controlled source of RADIUS access challenge messages. Because of this, exploitation of these vulnerabilities would most likely occur as part of an attack chain building upon previous exploitation of customer controlled infrastructure. Internal Reference: APVOS-14 Severity: Critical CVSSv3.1 Overall Score: 9.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Resolution: The firmware versions that address the vulnerabilities related to CVE-2022-23677 are still pending. This advisory will be updated. Workaround ========== Aruba recommends implementing firewall controls to limit interactions of impacted switches with known good RADIUS sources. Exploitation and Public Discussion ================================== This vulnerability is part of a coordinated disclosure with the Armis Research team and the details of the vulnerability can be found here: https://www.armis.com/research/tlstorm/ Discovery ========= These vulnerabilities were discovered and disclosed by Noam Afuta from Armis Research. Revision History ================ Revision 1 / 2022-May-03 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ © Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmJrBqIACgkQmP4JykWF htlXmAf+J8apLJyTs7B8YCuIS7ZuWC/WPHzIPU+oRMpVJjIW/ClSUmOcBaH0bsgS Y/RhT0wzHV5loxBsFMiuUgkNvVJlefWROWKNITAEEW6RUXbKKeZ8TTfIrH/w3uNq Zi9uFpfu46R/abUdNtE8p6BeCgTYdrFqbBd7lLP8AKNSqVR3qq1J0k0OJt+XoWSv SRQYWqjbKwhu2nTwFy2IJuVx3GfxAhr8sSESPIaPoSnHt9HXViJHpr7HDFEYrqED uK7Qc4+F0oKFf/iAXNuDlEMFhl86hwKoMsmB+324WTIO+TQ6WjsR1PlkZLXrHzKg JxreGm325mtLq66PZ4SYi6ewnWtxSA== =uZqm -----END PGP SIGNATURE-----