Axians Portal

Aruba Product Security Advisory
==================================
Advisory ID: ARUBA-PSA-2021-008
CVE: CVE-2020-25705
Publication Date: 2021-Mar-09
Status: Confirmed
Severity: High
Revision: 1

Title
=====
SAD DNS side channel attack

Overview
========
A vulnerability made public under the name SAD DNS affects Domain Name System resolvers due to a vulnerability in the Linux kernel when handling ICMP packets. This vulnerability is present in some Aruba products which are listed below. For more information please see https://www.saddns.net/

Affected Products
=================
All Aruba Instant Access Points running:
- Aruba Instant 8.3.x: 8.3.0.14 and below
- Aruba Instant 8.5.x: 8.5.0.11 and below
- Aruba Instant 8.6.x: 8.6.0.7 and below
- Aruba Instant 8.7.x: 8.7.1.1 and below

Hardware and Virtual implementations of ArubaOS Mobility Conductor (formerly Mobility Master), Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers running:
- ArubaOS 6.4.x: 6.4.4.24 and below
- ArubaOS 6.5.x: 6.5.4.18 and below
- ArubaOS 8.3.x: 8.3.0.14 and below
- ArubaOS 8.5.x: 8.5.0.11 and below
- ArubaOS 8.6.x: 8.6.0.7 and below
- ArubaOS 8.7.x: 8.7.1.1 and below

Hardware and Virtual implementations of SD-WAN Gateways running:
- ArubaOS 2.2.0.3 and below

Unaffected Products
===================
Other Aruba products not listed above are not affected by these vulnerabilities.

Details
=======
A flaw in the way reply ICMP packets are limited in the Linux kernel was found that allows for quick scanning of open UDP ports. This flaw allows an off-path remote user to effectively bypass source port UDP randomization.
Although the vulnerability lies within the way the Linux kernel rate limits ICMP packets, the main impact from the SAD DNS attack would be on name resolution related services running on the affected Aruba device.

Internal references: ATLWL-198, ATLWL-199
Severity: High
CVSSv3 Overall Score: 7.4
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Resolution
==========
Aruba Instant Access Points running:
- Aruba Instant 8.3.x: 8.3.0.15 and above
- Aruba Instant 8.5.x: 8.5.0.12 and above
- Aruba Instant 8.6.x: 8.6.0.8 and above
- Aruba Instant 8.7.x: 8.7.1.2 and above

Hardware and Virtual implementations of ArubaOS Mobility Conductor (formerly Mobility Master), Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers running:
- ArubaOS 6.4.x: 6.4.4.25 and above
- ArubaOS 6.5.x: 6.5.4.19 and above
- ArubaOS 8.3.x: 8.3.0.15 and above
- ArubaOS 8.5.x: 8.5.0.12 and above
- ArubaOS 8.6.x: 8.6.0.8 and above
- ArubaOS 8.7.x: 8.7.1.2 and above

Hardware and Virtual implementations of SD-WAN Gateways running:
- ArubaOS 2.2.0.4 and above

Workaround
==========
As this is a side channel attack it can be difficult to mitigate exposure. However this attack was mostly targeting internet exposed name servers, and not resources inside corporate environments.

Aruba always recommends that the CLI and web-based management interfaces for the affected devices be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 where possible.

For this specific vulnerability outgoing ICMP packets can be disabled using "service ACLs" to implement blocking rules.

Contact Aruba TAC for any configuration assistance.

Discovery
=========
This vulnerability was discovered and reported by Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang and Haixin Duan in Proceedings of ACM Conference on Computer and Communications Security (CCS`20), November 9-13, 2020

Exploitation and Public Discussion
==================================
Aruba is not aware of any exploitation tools or techniques that specifically target Aruba products.

Revision History
================
Revision 1 / 2021-Mar-09 / Initial release

Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at:

http://www.arubanetworks.com/support-services/security-bulletins/


For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at:

http://www.arubanetworks.com/support-services/security-bulletins/