Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-010 CVE: CVE-2021-25147, CVE-2021-25151, CVE-2021-25152, CVE-2021-25153, CVE-2021-25154, CVE-2021-25163, CVE-2021-25164, CVE-2021-25165, CVE-2021-25166, CVE-2021-25167, CVE-2021-29137 Publication Date: 2021-Apr-20 Status: Confirmed Severity: High Revision: 1 Title ===== AirWave Management Platform Multiple Vulnerabilities Overview ======== Aruba has released updates to the AirWave Management Platform that address multiple security vulnerabilities. Affected Products ================= AirWave Management Platform prior to 8.2.12.1 Details ======= Authentication Bypass in AirWave Web-based Management Interface (CVE-2021-25147) --------------------------------------------------------------------- A vulnerability exists which allows an unauthenticated attacker to assume an administrative role on the AirWave web-based management interface. Successful exploitation of this issue requires factors that may be beyond the direct control of an attacker. Successful exploitation allows an attacker to gain complete administrative control of the AirWave instance. Internal references: ATLAW-131 Severity: High CVSSv3 Overall Score: 8.1 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Deserialization Vulnerabilities in AirWave Web-based Management Interface (CVE-2021-25151, CVE-2021-25152) --------------------------------------------------------------------- Vulnerabilities in the deserialization functions used in multiple locations by the AirWave web-based management interface could allow remote authenticated users to execute arbitrary commands on the underlying host. A successful exploit allows an attacker to execute commands as root on the underlying operating system leading to complete system compromise. Internal references: ATLAW-125, ATLAW-141 Severity: High CVSSv3 Overall Score: 7.2 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program SQL Injection Vulnerability in AirWave API Interface (CVE-2021-25153) --------------------------------------------------------------------- A vulnerability in the API of AirWave could allow an authenticated remote attacker to conduct SQL injection attacks against the AirWave instance. A successful exploit allows an attacker to obtain and modify sensitive information in the underlying database. Internal references: ATLAW-31, ATLAW-156 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered and reported by Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Privilege Escalation Vulnerability in AirWave Web-based Management Interface (CVE-2021-25154) --------------------------------------------------------------------- A vulnerability in the web-based management interface of AirWave could allow a remote authenticated user with read-only privileges to escalate those privileges to those of a full administrative user. Successful exploitation of this issue requires factors that may be beyond the direct control of an attacker. Successful exploitation allows an attacker to gain complete administrative control of the AirWave instance. Internal references: ATLAW-143 Severity: Medium CVSSv3 Overall Score: 5.9 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L Discovery: This vulnerability was discovered and reported by Daniel Jenson (@dozernz) via Aruba's Bug Bounty Program Authenticated XML External Entity (XXE) Vulnerability in AirWave Web-based Management Interface (CVE-2021-25163, CVE-2021-25164, CVE-2021-25165) --------------------------------------------------------------------- Due to improper restrictions on XML entities multiple vulnerabilities exist in the web-based management interface of AirWave. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition. Internal references: ATLAW-22, ATLAW-28, ATLAW-151 ATLAW-165, ATLAW-166 Severity: Medium CVSSv3 Overall Score: 5.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H Discovery: These vulnerabilities were discovered and reported by Vidya Bhaskar Tripathi (www.linkedin.com/in/vbtr/), harishkumar0394 (bugcrowd.com/harishkumar0394) and Daniel Jensen (@dozernz) via Aruba's Bug Bounty Program Authenticated Remote Command Injection in AirWave Web-based Management Interface (CVE-2021-25166, CVE-2021-25167) --------------------------------------------------------------------- Vulnerabilities in the AirWave web-based management interface could allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit allows an attacker to execute commands as a lower privileged user on the underlying operating system leading to partial system compromise. Internal references: ATLAW-46, ATLAW-139 Severity: Medium CVSSv3 Overall Score: 4.7 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L Discovery: These vulnerabilities were discovered and reported by Daniel Jensen (@dozernz) and Erik de Jong (bugcrowd.com/erikdejong) via Aruba's Bug Bounty Program Authenticated Open Redirect Vulnerability in AirWave Web-based Management Interface (CVE-2021-29137) --------------------------------------------------------------------- A vulnerability in AirWave allows authenticated users of the AirWave web-based management interface to be redirected to untrusted websites. A successful exploit requires social engineering of these authenticated users. Internal references: ATLAW-128 Severity: Medium CVSSv3 Overall Score: 4.7 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Discovery: This vulnerability was discovered and reported by rceman (bugcrowd.com/rceman) via Aruba's Bug Bounty Program Resolution ========== Upgrade AirWave Management Platform to 8.2.12.1 and above. Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Exploitation and Public Discussion ================================== Aruba is not aware of any exploitation tools or techniques that specifically target Aruba products. Revision History ================ Revision 1 / 2021-Apr-20 / Initial release Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/