Network equipment manufacturer Aruba, a subsidiary of Hewlett-Packard Enterprise, warns of several vulnerabilities in the company’s wired switches AOS-CX firmware. Registered users can, for example, run code with high privileges and take full control of the affected device.
injected commands
At the command line, authenticated attackers can use the vulnerabilities to insert commands that run with higher privileges into the operating system, thereby exposing it (CVE-2021-41000, CVSS) 8.8risk high). When exchanging Diffie-Hellmann keys, attackers can trigger a denial of service, since a so-called D (HE) ater attack is possible – tampered transmitted values lead to excessive computations and, as a result, to paralyzed devices (CVE- 2002-20001, CVSS 7.5And the high).
Another vulnerability could allow authenticated attackers to access plaintext information for web-based key management without permission, thus exposing more network infrastructure, potentially leading to further compromises (CVE-2021-3712, CVSS 7.4And the high). Furthermore, registered users can use manipulated Network Analytics Engine (NAE) scripts to execute arbitrary commands in the operating system and thus take full control of the switch (CVE-2021-41001, CVSS). 7.2And the high).
Unauthenticated attackers can exploit cross-site scripting vulnerabilities to inject arbitrary code that runs into a web browser (CVE-2021-41003, CVSS). 6.1And the Average). In addition, the private keys of X.509 certificates can be recovered due to vulnerabilities (several CVEs, CVSS 5.9And the Average). The latest vulnerability described affects the command line, compromising the integrity of critical system files with a path traversal vulnerability. Attackers can disable keys or change sensitive information (CVE-2021-41002, CVSS 5.5And the Average).
Affected versions
According to the security report, vulnerabilities affect switches in Aruba 4100 iAnd the 6100And the 6200And the 6300And the 6400And the 8320And the 8325And the 8360 And the 8400. Weak firmware versions are 10.06.0170And the 10.07.0050And the 10/08/1030 And the 10.090002 In addition to the old versions that preceded it. Aruba notes that the bugs can also be contained in no longer supported firmware versions 10.05 and earlier, but this has not been verified.
The gaps have been closed in firmware versions 10.06.0180, 10.07.0061, 10.08.1040, 10.09.0010 and later. If you are still using AOS-CX 10.05.xxxx or older firmware, Aruba recommends updating to at least version 10.06.0180. IT managers should use methods they are familiar with to download and install available firmware updates on switches as quickly as possible.
(DMK)
