ArubaOS-CX 8000 Series Switches Multiple UEFI Vulnerabilities
Looks like the ArubaOS-CX 8000 series switches running the H20 BIOS have multiple vulnerabilities worth keeping an eye on. Exploiters would require a foothold on the compromised devices with root shell access. Aruba is working on a fix.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2022-001 CVE: CVE-2020-5953, CVE-2021-41610, CVE-2021-41840, CVE-2021-41841 CVE-2021-41839, CVE-2020-27339, CVE-2021-33626, CVE-2021-33627, CVE-2021-41838, CVE-2021-41837, CVE-2021-43323, CVE-2021-41837, CVE-2021-42554, CVE-2021-41838, CVE-2021-33625, CVE-2021-42554, CVE-2021-33625, CVE-2021-42554, CVE-2021-43522, CVE-2021-42113, CVE-2021-42059 Publication Date: 2022-Feb-01 Status: Confirmed Severity: Low Revision: 1 Title ===== ArubaOS-CX 8000 Series Switches Multiple UEFI Vulnerabilities Overview ======== On February 1st, 2022, multiple vulnerabilities in the UEFI implementation of Insyde H20 BIOS have been made public. ArubaOS-CXv8000 series switches are affected by these vulnerabilities. Affected Products ================= -- 8320 Series ArubaOS-CX Switches -- 8325 Series ArubaOS-CX Switches -- 8400 Series ArubaOS-CX Switches (including line cards) Unaffected Products =================== -- All other Aruba Switches, including other models of ArubaOS-CX are not affected. This includes the 10000 series switches and the 8360 switches. Details ======= Multiple vulnerabilities in Insyde H20-based UEFI firmware were discovered and privately reported. Insyde H20 UEFI firmware is used by many vendors. These vulnerabilities also affect ArubaOS-CX 8000 series products because they utilize Insyde H20-based UEFI firmware. Exploiting these vulnerabilities requires obtaining a "foothold" on the targeted device. This means that an attacker must already have an operating system shell as the root user in order to exploit any of these vulnerabilities. Details on these vulnerabilities can be found at: https://github.com/binarly-io/Vulnerability-REsearch Resolution ========== Aruba is working on fixes for these vulnerabilities. Aruba considers the risk of exploitation to be low, and will issue firmware updates in the future. This advisory will be updated once fixes are available. The risk of exploitation is considered low because there are many pre-requisite conditions that must be in place in order for these vulnerabilities to be exploited. Customers should be aware that there is inherent risk in upgrading the BIOS of ArubaOS-CX switches. If the switch is power-cycled for any reason during update, the only option is to RMA the switch. Exploitation and Public Discussion ================================== Successful exploitation of these vulnerabilities can result in an attacker executing code with the highest possible permission level available on the platform. Specifically, exploitation can lead to code execution in System Management Mode (SMM), which is more privileged than even kernel-mode code execution. Aruba is not aware of any public proof of concept code. Workaround and Mitigations ========================== "Enhanced Secure Mode" can be enabled on the ArubaOS-CX switch to prevent shell access via the command line interface (CLI). With this enabled, an attacker would have to exploit another, different vulnerability first in order to obtain the level of access necessary to exploit these vulnerabilities. To enable "Enhanced Secure Mode", run "secure-mode enhanced" from the "SVOS" prompt, which is accessible from the console before the primary operating system is loaded. If technical assistance is needed, please contact Aruba TAC. Another method to limit shell access would be to use an external TACACS+ authorization server and deny access to the start-shell command to all users except those who specifically require it. For further information on using TACACS+ to implement command authorization, refer to the documentation for your preferred TACACS+ software platform. To further minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for ArubaOS-CX 8000 series switches be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. These mitigation options are available in all current versions of ArubaOS-CX. Upgrading is not necessary to implement these mitigations. Discovery ========= These vulnerabilities were discovered and reported by BINARLY efiXplorer team through US-CERT/VINCE. Revision History ================ Revision 1 / 2022-Feb-01 / Initial release Aruba SIRT Security Procedures ============================== To receive Security Advisory updates, subscribe to notifications at https://sirt.arubanetworks.com/mailman/listinfo/security-alerts_sirt.arubanetworks.com Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at: https://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmHzMQMXHHNpcnRAYXJ1 YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtnnLQf/aeu7j0cpECrum/zB/gj91XBu tJTKCDIedhQkGchc3dUNJmIkt5t1PdoEtKrWyMY+exNqkamyyk1ffGo640GJEAK8 ZqKiCoRkWtI1Qs+Lx+uOOjT0fTNgmyqh+rA1b9iGrPt+0vl5PV7VqfEDAq+J5xhC c+dAA6SaYVaYJzm2JSJjPXjn2MYq/2QFR9huVSSlCmpAorj3T/38USUz1+RxHM1n HLDMDMPQJ2H5oG9DujpirXI/3KlaX40Qdgg8WzyI7kK0lvesZEWUiEzq2smHMNvo XIrO1h2sCXQBbD5zhgleZ62D3MyI6FcXBuVUAsIfJE82jMDsdhdL+BxrsEoWQQ== =QSGG -----END PGP SIGNATURE-----