Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2020-010 CVE: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 Publication Date: 2020-Sep-15 Last Updated: 2020-Oct-23 Status: Confirmed Revision: 2 Title ===== TCP SACK PANIC - Kernel vulnerabilities Overview ======== Aruba has released updates to products affected by Linux Kernel vulnerabilities known as TCP SACK PANIC. Successful exploitation of the most severe of these vulnerabilities could allow a remote attacker to trigger a kernel panic and impact the system availability. (*) Affected Products ================= -- AirWave Management Platform version 8.2.9.1 and below -- Aruba Instant(IAP) versions 6.5.4.16 and below, 8.3.0.12 and below 8.4.0.6 and below, 8.5.0.6 and below -- Controllers and Gateways running the following versions -- ArubaOS 6.4.4.24 and below, 6.5.4.17 and below, 8.2.2.8 and below, 8.3.0.12 and below, 8.4.0.6 and below, 8.5.0.9 and below -- x86 Mobility Master 8.3.0.14 and below, 8.5.0.11 and below, 8.6.0.6 and below, 8.7.1.0 and below -- Aruba SD-WAN 8.1.0.0-1.0.4.x, 8.4.0.0-1.0.6.x, 8.5.0.0-1.0.7.x 8.5.0.0-2.0.0.0 -- ArubaOS-CX switches version 10.2.0060 and below -- ClearPass Policy Manager versions 6.7.12 and below,6.8.3 and below Other Aruba products not listed above are not affected by any of these vulnerabilities. Details ======= Three related flaws were found in the Linux kernel???s handling of TCP networking. More information about each of the vulnerabilities can be found on the CVEs listed above. (*) Aruba has performed different tests in trying to exploit these vulnerabilities or cause Denial of Service conditions in our products without any success. Even though all three CVEs have the CVSS:3.0 Base Score of 7.5 (High), Aruba is treating these as Low Severity. As a proactive measure, Aruba has been updating the Linux Kernel in all products that might be affected, and upgrade to the patched versions is recommended, when available. Resolution ========== These vulnerabilities are fixed in the following patch releases: -- AirWave Management Platform 8.2.10 and above -- Aruba Instant (IAP) 6.5.4.17, 8.3.0.13, 8.5.0.7, 8.6.0.0, 8.7.0.0 and above -- Controllers and Gateways running the following versions -- ArubaOS 6.4.4.25 (target date 03/12/2021), 6.5.4.18, 8.3.0.13, 8.5.0.10 and above -- x86 Mobility Master 8.3.0.15 (target date 01/22/2021) 8.5.0.12 (target date 01/15/2021),8.6.0.7 (target date 12/11/2020) 8.7.1.1 (target date 12/15/2020), 8.8.0.0 (target date 01/19/2021) and above -- Aruba SD-WAN 8.5.0.0-2.1.0.0, 8.6.0.0-2.2.0.0 and above -- ArubaOS-CX switches 10.3.0001 and above -- ClearPass Policy Manager 6.7.13, 6.8.4, 6.9.0 and above Discovery ========= These vulnerabilities were discovered by researcher Jonathan Looney. Workarounds =========== None. Exploitation and Public Discussion ================================== Aruba is not aware of any public discussion or exploit code related to this issue. Revision History ================ Revision 1 / 2020-Sep-15 / Initial Release Revision 2 / 2020-Oct-23 / Updated Affected & Resolution Versions Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2020 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.