SB2022102646 - Multiple vulnerabilities in ArubaOS and Aruba SD-WAN

Description

This security bulletin contains information about 16 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2022-37906)

The vulnerability allows a local user to delete arbitrary files on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences within the command line interface. A local user can delete arbitrary files on the system.

2) OS Command Injection (CVE-ID: CVE-2022-37912)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation within the ArubaOS command line interface. A local user can pass specially crafted arguments to certain affected CLIs and execute arbitrary OS commands with elevated privileges.

3) Security features bypass (CVE-ID: CVE-2022-37908)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to insufficient integrity checks within the bootloader on 7xxx series controllers. A remote user can compromise the hardware chain of trust on the impacted controller.

4) Resource management error (CVE-ID: CVE-2022-37907)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the ArubaOS Bootloader on 7xxx series controllers. A remote user can perform a denial of service (DoS) attack.

5) Security features bypass (CVE-ID: CVE-2022-37905)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists in the way ArubaOS handles boot process in 7xxx series controllers during the boot sequence. A remote authenticated user can achieve permanent modification of the underlying operating system and escalate privileges.

6) OS Command Injection (CVE-ID: CVE-2022-37897)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when handling PAPI packets. A remote unauthenticated attacker can send specially crafted PAPI packets to port 8211/UDP to the system and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

7) Security features bypass (CVE-ID: CVE-2022-37904)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists in the way ArubaOS handles boot process in 7xxx series controllers during the boot sequence. A remote authenticated user can achieve permanent modification of the underlying operating system and escalate privileges.

8) Arbitrary file upload (CVE-ID: CVE-2022-37903)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload within the web interface. A remote user can upload a malicious file and execute it on the device.

9) OS Command Injection (CVE-ID: CVE-2022-37902)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation within the ArubaOS command line interface. A local user can pass specially crafted arguments to certain affected CLIs and execute arbitrary OS commands with elevated privileges.

10) OS Command Injection (CVE-ID: CVE-2022-37901)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation within the ArubaOS command line interface. A local user can pass specially crafted arguments to certain affected CLIs and execute arbitrary OS commands with elevated privileges.

11) OS Command Injection (CVE-ID: CVE-2022-37900)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation within the ArubaOS command line interface. A local user can pass specially crafted arguments to certain affected CLIs and execute arbitrary OS commands with elevated privileges.

12) OS Command Injection (CVE-ID: CVE-2022-37899)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation within the ArubaOS command line interface. A local user can pass specially crafted arguments to certain affected CLIs and execute arbitrary OS commands with elevated privileges.

13) OS Command Injection (CVE-ID: CVE-2022-37898)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation within the ArubaOS command line interface. A local user can pass specially crafted arguments to certain affected CLIs and execute arbitrary OS commands with elevated privileges.

14) Information disclosure (CVE-ID: CVE-2022-37909)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output from the configured ESSIDs. A remote attacker can gain unauthorized access to sensitive information on the system.

15) Buffer overflow (CVE-ID: CVE-2022-37910)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the command line interface. A local user can run a specially crafted command to trigger memory corruption and execute arbitrary code with elevated privileges.

16) XML External Entity injection (CVE-ID: CVE-2022-37911)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input within the command line interface. A local user can pass a specially crafted XML code to the system and view contents of arbitrary files on the system or initiate requests to external systems.

Remediation

Install update from vendor's website.

References

• https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt