Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2020-010
CVE: CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 Publication Date: 2020-Sep-15 Last Updated: 2020-Oct-23
Status: Confirmed
Revision: 2
Title
=====
TCP SACK PANIC - Kernel vulnerabilities
Overview
========
Aruba has released updates to products affected by Linux Kernel
vulnerabilities known as TCP SACK PANIC. Successful exploitation of the most severe of these vulnerabilities could allow a remote attacker to trigger a kernel panic and impact the system availability. (*)
Affected Products
=================
-- AirWave Management Platform version 8.2.9.1 and below
-- Aruba Instant(IAP) versions 6.5.4.16 and below, 8.3.0.12 and below
8.4.0.6 and below, 8.5.0.6 and below
-- Controllers and Gateways running the following versions
-- ArubaOS 6.4.4.24 and below, 6.5.4.17 and below,
8.2.2.8 and below, 8.3.0.12 and below, 8.4.0.6 and below,
8.5.0.9 and below
-- x86 Mobility Master 8.3.0.14 and below, 8.5.0.11 and below,
8.6.0.6 and below, 8.7.1.0 and below
-- Aruba SD-WAN 8.1.0.0-1.0.4.x, 8.4.0.0-1.0.6.x, 8.5.0.0-1.0.7.x
8.5.0.0-2.0.0.0
-- ArubaOS-CX switches version 10.2.0060 and below
-- ClearPass Policy Manager versions 6.7.12 and below,6.8.3 and below
Other Aruba products not listed above are not affected by any of
these vulnerabilities.
Details
=======
Three related flaws were found in the Linux kernel???s handling of TCP
networking.
More information about each of the vulnerabilities can be found on
the CVEs listed above.
(*) Aruba has performed different tests in trying to exploit these
vulnerabilities or cause Denial of Service conditions in our products
without any success.
Even though all three CVEs have the CVSS:3.0 Base Score of 7.5 (High),
Aruba is treating these as Low Severity.
As a proactive measure, Aruba has been updating the Linux Kernel in all
products that might be affected, and upgrade to the patched versions is
recommended, when available.
Resolution
==========
These vulnerabilities are fixed in the following patch releases:
-- AirWave Management Platform 8.2.10 and above
-- Aruba Instant (IAP) 6.5.4.17, 8.3.0.13, 8.5.0.7, 8.6.0.0,
8.7.0.0 and above
-- Controllers and Gateways running the following versions
-- ArubaOS 6.4.4.25 (target date 03/12/2021), 6.5.4.18, 8.3.0.13,
8.5.0.10 and above
-- x86 Mobility Master 8.3.0.15 (target date 01/22/2021)
8.5.0.12 (target date 01/15/2021),8.6.0.7 (target date 12/11/2020)
8.7.1.1 (target date 12/15/2020), 8.8.0.0 (target date 01/19/2021)
and above
-- Aruba SD-WAN 8.5.0.0-2.1.0.0, 8.6.0.0-2.2.0.0 and above
-- ArubaOS-CX switches 10.3.0001 and above
-- ClearPass Policy Manager 6.7.13, 6.8.4, 6.9.0 and above
Discovery
=========
These vulnerabilities were discovered by researcher Jonathan Looney.
Workarounds
===========
None.
Exploitation and Public Discussion
==================================
Aruba is not aware of any public discussion or exploit code related to
this issue.
Revision History
================
Revision 1 / 2020-Sep-15 / Initial Release
Revision 2 / 2020-Oct-23 / Updated Affected & Resolution Versions
Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in Aruba
Networks products, obtaining assistance with security incidents is
available at:
http://www.arubanetworks.com/support-services/security-bulletins/
For reporting *NEW* Aruba Networks security issues, email can be sent
to aruba-sirt(at)hpe.com. For sensitive information we encourage the
use of PGP encryption. Our public keys can be found at:
http://www.arubanetworks.com/support-services/security-bulletins/
(c) Copyright 2020 by Aruba, a Hewlett Packard Enterprise company.
This advisory may be redistributed freely after the release date given
at the top of the text, provided that the redistributed copies are
complete and unmodified, including all data and version information.
