ArubaOS-CX 8000 Series Switches Multiple UEFI Vulnerabilities


Looks like the ArubaOS-CX 8000 series switches running the H20 BIOS have multiple vulnerabilities worth keeping an eye on. Exploiters would require a foothold on the compromised devices with root shell access. Aruba is working on a fix.

Hash: SHA256

Aruba Product Security Advisory
Advisory ID: ARUBA-PSA-2022-001
CVE: CVE-2020-5953, CVE-2021-41610, CVE-2021-41840, CVE-2021-41841 CVE-2021-41839, CVE-2020-27339, CVE-2021-33626, CVE-2021-33627, CVE-2021-41838, CVE-2021-41837, CVE-2021-43323, CVE-2021-41837, CVE-2021-42554, CVE-2021-41838, CVE-2021-33625, CVE-2021-42554, CVE-2021-33625, CVE-2021-42554, CVE-2021-43522, CVE-2021-42113,
Publication Date: 2022-Feb-01
Status: Confirmed
Severity: Low
Revision: 1

ArubaOS-CX 8000 Series Switches Multiple UEFI Vulnerabilities

On February 1st, 2022, multiple vulnerabilities in the UEFI implementation of Insyde H20 BIOS have been made public. ArubaOS-CXv8000 series switches are affected by these vulnerabilities.

Affected Products
-- 8320 Series ArubaOS-CX Switches
-- 8325 Series ArubaOS-CX Switches
-- 8400 Series ArubaOS-CX Switches (including line cards)

Unaffected Products
-- All other Aruba Switches, including other models of ArubaOS-CX are not affected. This includes the 10000 series switches and the 8360 switches.

Multiple vulnerabilities in Insyde H20-based UEFI firmware were discovered and privately reported. Insyde H20 UEFI firmware is used by many vendors.
These vulnerabilities also affect ArubaOS-CX 8000 series products because they utilize Insyde H20-based UEFI firmware.

Exploiting these vulnerabilities requires obtaining a "foothold" on the targeted device. This means that an attacker must already have an operating system shell as the root user in order to exploit any of these vulnerabilities.

Details on these vulnerabilities can be found at:

Aruba is working on fixes for these vulnerabilities. Aruba considers the risk of exploitation to be low, and will issue firmware updates in the future.
This advisory will be updated once fixes are available. The risk of exploitation is considered low because there are many pre-requisite conditions that must be in place in order for these vulnerabilities to be exploited.

Customers should be aware that there is inherent risk in upgrading the BIOS of ArubaOS-CX switches. If the switch is power-cycled for any reason during update, the only option is to RMA the switch.

Exploitation and Public Discussion
Successful exploitation of these vulnerabilities can result in an attacker executing code with the highest possible permission level available on the platform. Specifically, exploitation can lead to code execution in System Management Mode (SMM), which is more privileged than even kernel-mode code execution. Aruba is not aware of any public proof of concept code.

Workaround and Mitigations
"Enhanced Secure Mode" can be enabled on the ArubaOS-CX switch to prevent shell access via the command line interface (CLI). With this enabled, an attacker would have to exploit another, different vulnerability first in order to obtain the level of access necessary to exploit these vulnerabilities.
To enable "Enhanced Secure Mode", run "secure-mode enhanced" from the "SVOS" prompt, which is accessible from the console before the primary operating system is loaded.
If technical assistance is needed, please contact Aruba TAC.

Another method to limit shell access would be to use an external TACACS+ authorization server and deny access to the start-shell command to all users except those who specifically require it. For further information on using TACACS+ to implement command authorization, refer to the documentation for your preferred TACACS+ software platform.

To further minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ArubaOS-CX
8000 series switches be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.

These mitigation options are available in all current versions of ArubaOS-CX. Upgrading is not necessary to implement these mitigations.

These vulnerabilities were discovered and reported by BINARLY efiXplorer team through US-CERT/VINCE.

Revision History
Revision 1 / 2022-Feb-01 / Initial release

Aruba SIRT Security Procedures
To receive Security Advisory updates, subscribe to notifications at

Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at:

For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at) For sensitive information we encourage the use of PGP encryption. Our public keys can be found

(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.