Aruba 9000 Series Gateways Multiple UEFI Vulnerabilities


If you run Aruba 9000 series gateways with the H20 BIOS then this will be of interest to you. Multiple vulnerabilities have been discovered. Exploiters would require a foothold on the compromised devices with root shell access. Aruba is working on a fix.

Hash: SHA256

Aruba Product Security Advisory
Advisory ID: ARUBA-PSA-2022-002
CVE: CVE-2020-5953, CVE-2021-41610, CVE-2021-41840, CVE-2021-41841 CVE-2021-41839, CVE-2020-27339, CVE-2021-33626, CVE-2021-33627, CVE-2021-41838, CVE-2021-41837, CVE-2021-43323, CVE-2021-41837, CVE-2021-42554, CVE-2021-41838, CVE-2021-33625, CVE-2021-42554, CVE-2021-33625, CVE-2021-42554, CVE-2021-43522, CVE-2021-42113,
Publication Date: 2022-Feb-01
Status: Confirmed
Severity: Low
Revision: 1

9000 Series Gateways Multiple UEFI Vulnerabilities

On February 1st, 2022, multiple vulnerabilities in the UEFI implementation of Insyde H20 BIOS have been made public. Aruba 9000 Series Gateways are affected by these vulnerabilities.

Affected Products
-- Aruba 9004 Gateway
-- Aruba 9004-LTE Series Gateway
-- Aruba 9012 Series Gateway

Unaffected Products
-- All other Aruba gateways and controllers are not affected.

Multiple vulnerabilities in Insyde H20-based UEFI firmware were discovered and privately reported. Insyde H20 UEFI firmware is used by many vendors. These vulnerabilities also affect Aruba 9000 Series Gateways because they utilize Insyde H20-based UEFI firmware.

Exploiting these vulnerabilities requires obtaining a "foothold" on the targeted device. This means that an attacker must already have an operating system shell as the root user in order to exploit any of these vulnerabilities.

Details on these vulnerabilities can be found at:

Aruba is working on fixes for these vulnerabilities. Aruba considers the risk of exploitation to be low, and will issue firmware updates in the future.
This advisory will be updated once fixes are available. The risk of exploitation is considered low because there are many pre-requisite conditions that must be in place in order for these vulnerabilities to be exploited.

Exploitation and Public Discussion
Successful exploitation of these vulnerabilities can result in an attacker executing code with the highest possible permission level available on the platform.
Specifically, exploitation can lead to code execution in System Management Mode (SMM), which is more privileged than even kernel-mode code execution. Aruba is not aware of any public proof of concept code.

Workaround and Mitigations
The ArubaOS platform does not grant users root access. An attacker would have to exploit another, different vulnerability first in order to obtain the level of access necessary to exploit these vulnerabilities.

To further minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba usually recommends that the CLI and web-based management interfaces for networking equipment be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. For gateways that are directly connected to the internet as in the case of the Aruba SD-WAN solution, please refer to the following document for details on hardening the WAN interface and its default policies.

These vulnerabilities were discovered and reported by BINARLY efiXplorer team through US-CERT/VINCE.

Revision History
Revision 1 / 2022-Feb-01 / Initial release

Aruba SIRT Security Procedures
To receive Security Advisory updates, subscribe to notifications at

Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at:

For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at) For sensitive information we encourage the use of PGP encryption. Our public keys can be found

(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.