Aruba 9000 Series Gateways Multiple UEFI Vulnerabilities

aruba.png

If you run Aruba 9000 series gateways with the H20 BIOS then this will be of interest to you. Multiple vulnerabilities have been discovered. Exploiters would require a foothold on the compromised devices with root shell access. Aruba is working on a fix.


 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2022-002
CVE: CVE-2020-5953, CVE-2021-41610, CVE-2021-41840, CVE-2021-41841 CVE-2021-41839, CVE-2020-27339, CVE-2021-33626, CVE-2021-33627, CVE-2021-41838, CVE-2021-41837, CVE-2021-43323, CVE-2021-41837, CVE-2021-42554, CVE-2021-41838, CVE-2021-33625, CVE-2021-42554, CVE-2021-33625, CVE-2021-42554, CVE-2021-43522, CVE-2021-42113,
CVE-2021-42059
Publication Date: 2022-Feb-01
Status: Confirmed
Severity: Low
Revision: 1




Title
=====
9000 Series Gateways Multiple UEFI Vulnerabilities




Overview
========
On February 1st, 2022, multiple vulnerabilities in the UEFI implementation of Insyde H20 BIOS have been made public. Aruba 9000 Series Gateways are affected by these vulnerabilities.




Affected Products
=================
-- Aruba 9004 Gateway
-- Aruba 9004-LTE Series Gateway
-- Aruba 9012 Series Gateway




Unaffected Products
===================
-- All other Aruba gateways and controllers are not affected.




Details
=======
Multiple vulnerabilities in Insyde H20-based UEFI firmware were discovered and privately reported. Insyde H20 UEFI firmware is used by many vendors. These vulnerabilities also affect Aruba 9000 Series Gateways because they utilize Insyde H20-based UEFI firmware.


Exploiting these vulnerabilities requires obtaining a "foothold" on the targeted device. This means that an attacker must already have an operating system shell as the root user in order to exploit any of these vulnerabilities.


Details on these vulnerabilities can be found at:
https://github.com/binarly-io/Vulnerability-REsearch




Resolution
==========
Aruba is working on fixes for these vulnerabilities. Aruba considers the risk of exploitation to be low, and will issue firmware updates in the future.
This advisory will be updated once fixes are available. The risk of exploitation is considered low because there are many pre-requisite conditions that must be in place in order for these vulnerabilities to be exploited.




Exploitation and Public Discussion
==================================
Successful exploitation of these vulnerabilities can result in an attacker executing code with the highest possible permission level available on the platform.
Specifically, exploitation can lead to code execution in System Management Mode (SMM), which is more privileged than even kernel-mode code execution. Aruba is not aware of any public proof of concept code.




Workaround and Mitigations
==========================
The ArubaOS platform does not grant users root access. An attacker would have to exploit another, different vulnerability first in order to obtain the level of access necessary to exploit these vulnerabilities.


To further minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba usually recommends that the CLI and web-based management interfaces for networking equipment be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. For gateways that are directly connected to the internet as in the case of the Aruba SD-WAN solution, please refer to the following document for details on hardening the WAN interface and its default policies.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00104476en_us




Discovery
=========
These vulnerabilities were discovered and reported by BINARLY efiXplorer team through US-CERT/VINCE.




Revision History
================
Revision 1 / 2022-Feb-01 / Initial release




Aruba SIRT Security Procedures
==============================
To receive Security Advisory updates, subscribe to notifications at https://sirt.arubanetworks.com/mailman/listinfo/security-alerts_sirt.arubanetworks.com


Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at:


https://www.arubanetworks.com/support-services/security-bulletins/




For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found
at:


https://www.arubanetworks.com/support-services/security-bulletins/




(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.
-----BEGIN PGP SIGNATURE-----


iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmHzMQoXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtmpvgf/TDRt74e4Pu1zQEg7SyadmqLt
+A1bHsFjc0c+zn/l18cLLgK6oGb53S+tzbHlzFUg5pA7OBPJ7pMAabUSkqQf5Tru
QffYOSWCkyDRsJ2EQovMcL/peUIcbHwx/k4lT4fjgkl3YWu0VU0NSd1R/iuBYze+
ONKWwCOMlDk/FugCjIyncg4Bj5bToNVYe9QC+mnywOiIhcL7ned97wMoXsd0QsFm
I8W5b/OgLrcZEM2rUNuaBYBjO6qHAZKcoP74a5z/2aSt5nZ7JN7Pl8zQqdQHpBOn
iyFEgr3ib6KKvrBfgpu46RbiiqiK1NFm5P2PJpcH1c/RxPeYg5kuBdoMc3pv7A==
=A6ZS
-----END PGP SIGNATURE-----

ArubaOS-CX 8000 Series Switches Multiple UEFI Vulnerabilities

aruba.png

Looks like the ArubaOS-CX 8000 series switches running the H20 BIOS have multiple vulnerabilities worth keeping an eye on. Exploiters would require a foothold on the compromised devices with root shell access. Aruba is working on a fix.


 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2022-001
CVE: CVE-2020-5953, CVE-2021-41610, CVE-2021-41840, CVE-2021-41841 CVE-2021-41839, CVE-2020-27339, CVE-2021-33626, CVE-2021-33627, CVE-2021-41838, CVE-2021-41837, CVE-2021-43323, CVE-2021-41837, CVE-2021-42554, CVE-2021-41838, CVE-2021-33625, CVE-2021-42554, CVE-2021-33625, CVE-2021-42554, CVE-2021-43522, CVE-2021-42113,
CVE-2021-42059
Publication Date: 2022-Feb-01
Status: Confirmed
Severity: Low
Revision: 1




Title
=====
ArubaOS-CX 8000 Series Switches Multiple UEFI Vulnerabilities




Overview
========
On February 1st, 2022, multiple vulnerabilities in the UEFI implementation of Insyde H20 BIOS have been made public. ArubaOS-CXv8000 series switches are affected by these vulnerabilities.




Affected Products
=================
-- 8320 Series ArubaOS-CX Switches
-- 8325 Series ArubaOS-CX Switches
-- 8400 Series ArubaOS-CX Switches (including line cards)




Unaffected Products
===================
-- All other Aruba Switches, including other models of ArubaOS-CX are not affected. This includes the 10000 series switches and the 8360 switches.




Details
=======
Multiple vulnerabilities in Insyde H20-based UEFI firmware were discovered and privately reported. Insyde H20 UEFI firmware is used by many vendors.
These vulnerabilities also affect ArubaOS-CX 8000 series products because they utilize Insyde H20-based UEFI firmware.


Exploiting these vulnerabilities requires obtaining a "foothold" on the targeted device. This means that an attacker must already have an operating system shell as the root user in order to exploit any of these vulnerabilities.


Details on these vulnerabilities can be found at:
https://github.com/binarly-io/Vulnerability-REsearch




Resolution
==========
Aruba is working on fixes for these vulnerabilities. Aruba considers the risk of exploitation to be low, and will issue firmware updates in the future.
This advisory will be updated once fixes are available. The risk of exploitation is considered low because there are many pre-requisite conditions that must be in place in order for these vulnerabilities to be exploited.


Customers should be aware that there is inherent risk in upgrading the BIOS of ArubaOS-CX switches. If the switch is power-cycled for any reason during update, the only option is to RMA the switch.




Exploitation and Public Discussion
==================================
Successful exploitation of these vulnerabilities can result in an attacker executing code with the highest possible permission level available on the platform. Specifically, exploitation can lead to code execution in System Management Mode (SMM), which is more privileged than even kernel-mode code execution. Aruba is not aware of any public proof of concept code.




Workaround and Mitigations
==========================
"Enhanced Secure Mode" can be enabled on the ArubaOS-CX switch to prevent shell access via the command line interface (CLI). With this enabled, an attacker would have to exploit another, different vulnerability first in order to obtain the level of access necessary to exploit these vulnerabilities.
To enable "Enhanced Secure Mode", run "secure-mode enhanced" from the "SVOS" prompt, which is accessible from the console before the primary operating system is loaded.
If technical assistance is needed, please contact Aruba TAC.


Another method to limit shell access would be to use an external TACACS+ authorization server and deny access to the start-shell command to all users except those who specifically require it. For further information on using TACACS+ to implement command authorization, refer to the documentation for your preferred TACACS+ software platform.


To further minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ArubaOS-CX
8000 series switches be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.


These mitigation options are available in all current versions of ArubaOS-CX. Upgrading is not necessary to implement these mitigations.




Discovery
=========
These vulnerabilities were discovered and reported by BINARLY efiXplorer team through US-CERT/VINCE.




Revision History
================
Revision 1 / 2022-Feb-01 / Initial release




Aruba SIRT Security Procedures
==============================
To receive Security Advisory updates, subscribe to notifications at https://sirt.arubanetworks.com/mailman/listinfo/security-alerts_sirt.arubanetworks.com


Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at:


https://www.arubanetworks.com/support-services/security-bulletins/




For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found
at:


https://www.arubanetworks.com/support-services/security-bulletins/




(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.
-----BEGIN PGP SIGNATURE-----


iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmHzMQMXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtnnLQf/aeu7j0cpECrum/zB/gj91XBu
tJTKCDIedhQkGchc3dUNJmIkt5t1PdoEtKrWyMY+exNqkamyyk1ffGo640GJEAK8
ZqKiCoRkWtI1Qs+Lx+uOOjT0fTNgmyqh+rA1b9iGrPt+0vl5PV7VqfEDAq+J5xhC
c+dAA6SaYVaYJzm2JSJjPXjn2MYq/2QFR9huVSSlCmpAorj3T/38USUz1+RxHM1n
HLDMDMPQJ2H5oG9DujpirXI/3KlaX40Qdgg8WzyI7kK0lvesZEWUiEzq2smHMNvo
XIrO1h2sCXQBbD5zhgleZ62D3MyI6FcXBuVUAsIfJE82jMDsdhdL+BxrsEoWQQ==
=QSGG
-----END PGP SIGNATURE-----

ASUS ROG STRIX Z690-E GAMING WIFI BIOS 1003

aus-rog-strix-z690-e-gaming-wifi.png

ASUS released a new BIOS, version 1003, for the ASUS ROG STRIX Z690-E GAMING motherboard. Below are the release notes.


ROG STRIX Z690-E GAMING WIFI BIOS 1003
"01. Improve system performance and Window 11 OS stability.
02. Update USB PD FW to 1.0F.
03. Update Intel ME FW to 16.0.15.1620 V3
04. Add Thunderbolt FW update method for onboard Thunderbolt models and ThunderboltEX 4 Card support models
05. Update Intel microcode.
06. Improve DRAM compatibility
07. Change PCIe speed hotkey item from F9 to F6.

Before running the USB BIOS Flashback tool, please rename the BIOS file (SZ690E.CAP) using BIOSRenamer."

Cisco Meraki VPN Terminated

microsoft-windows.jpg

If you’re trying to VPN to a Cisco Meraki security appliance and encounter the following error this post may be of help.

The connection was terminated by the remote computer before it could be completed.

For some unknown reason Windows will sometimes revert your network adapter settings for your L2TP VPN profile. Perform the following actions to resolve the issue.

Open Control Panel, select Network and Internet, Network and Sharing Center, and Change adapter settings. This should open a new dialog with all of your network connections. We’ll want to locate the L2TP VPN profile in question. You can do this by looking for one that says WAN Miniport (L2TP) in the description. Right click the profile and select Properties.

Under the Security tab you’ll want to verify the following settings. The Type of VPN should be set to Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec). The Data encryption should be set to Require encryption (disconnect if server declines). Under the Authentication section you’ll want to verify that Allow these protocols is selected and Uncrypted password (PAP) is the only option checked. Once complete click OK and you should be good to go.




Windows Update Breaks L2TP (Cisco Meraki) VPN’s

microsoft-windows.jpg

A Windows update, KB5009543 for Windows 10 and KB5009566 for Windows 11 broke L2TP VPN connectivity causing the error below.

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

The fix is quick and easy. Simply uninstall the update, restart, and you should be good to go.

Open Settings, Windows Update, Update history and select Uninstall Updates. Find KB5009543 for Windows 10 or KB5009566 for Windows 11 and uninstall. When complete you’ll be prompted to restart. Once the update is uninstalled your L2TP based VPN should be working again.

If you prefer PowerShell use the following command as an Administrator.


dism /Online /Remove-Package /PackageName:Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.1466.1.6 /NoRestart /quiet; shutdown /r -t 60


<