Aruba 9000 Series Gateways Multiple UEFI Vulnerabilities

aruba.png

If you run Aruba 9000 series gateways with the H20 BIOS then this will be of interest to you. Multiple vulnerabilities have been discovered. Exploiters would require a foothold on the compromised devices with root shell access. Aruba is working on a fix.


 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2022-002
CVE: CVE-2020-5953, CVE-2021-41610, CVE-2021-41840, CVE-2021-41841 CVE-2021-41839, CVE-2020-27339, CVE-2021-33626, CVE-2021-33627, CVE-2021-41838, CVE-2021-41837, CVE-2021-43323, CVE-2021-41837, CVE-2021-42554, CVE-2021-41838, CVE-2021-33625, CVE-2021-42554, CVE-2021-33625, CVE-2021-42554, CVE-2021-43522, CVE-2021-42113,
CVE-2021-42059
Publication Date: 2022-Feb-01
Status: Confirmed
Severity: Low
Revision: 1




Title
=====
9000 Series Gateways Multiple UEFI Vulnerabilities




Overview
========
On February 1st, 2022, multiple vulnerabilities in the UEFI implementation of Insyde H20 BIOS have been made public. Aruba 9000 Series Gateways are affected by these vulnerabilities.




Affected Products
=================
-- Aruba 9004 Gateway
-- Aruba 9004-LTE Series Gateway
-- Aruba 9012 Series Gateway




Unaffected Products
===================
-- All other Aruba gateways and controllers are not affected.




Details
=======
Multiple vulnerabilities in Insyde H20-based UEFI firmware were discovered and privately reported. Insyde H20 UEFI firmware is used by many vendors. These vulnerabilities also affect Aruba 9000 Series Gateways because they utilize Insyde H20-based UEFI firmware.


Exploiting these vulnerabilities requires obtaining a "foothold" on the targeted device. This means that an attacker must already have an operating system shell as the root user in order to exploit any of these vulnerabilities.


Details on these vulnerabilities can be found at:
https://github.com/binarly-io/Vulnerability-REsearch




Resolution
==========
Aruba is working on fixes for these vulnerabilities. Aruba considers the risk of exploitation to be low, and will issue firmware updates in the future.
This advisory will be updated once fixes are available. The risk of exploitation is considered low because there are many pre-requisite conditions that must be in place in order for these vulnerabilities to be exploited.




Exploitation and Public Discussion
==================================
Successful exploitation of these vulnerabilities can result in an attacker executing code with the highest possible permission level available on the platform.
Specifically, exploitation can lead to code execution in System Management Mode (SMM), which is more privileged than even kernel-mode code execution. Aruba is not aware of any public proof of concept code.




Workaround and Mitigations
==========================
The ArubaOS platform does not grant users root access. An attacker would have to exploit another, different vulnerability first in order to obtain the level of access necessary to exploit these vulnerabilities.


To further minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba usually recommends that the CLI and web-based management interfaces for networking equipment be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. For gateways that are directly connected to the internet as in the case of the Aruba SD-WAN solution, please refer to the following document for details on hardening the WAN interface and its default policies.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00104476en_us




Discovery
=========
These vulnerabilities were discovered and reported by BINARLY efiXplorer team through US-CERT/VINCE.




Revision History
================
Revision 1 / 2022-Feb-01 / Initial release




Aruba SIRT Security Procedures
==============================
To receive Security Advisory updates, subscribe to notifications at https://sirt.arubanetworks.com/mailman/listinfo/security-alerts_sirt.arubanetworks.com


Complete information on reporting security vulnerabilities in Aruba Networks products and obtaining assistance with security incidents is available at:


https://www.arubanetworks.com/support-services/security-bulletins/




For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found
at:


https://www.arubanetworks.com/support-services/security-bulletins/




(c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.
-----BEGIN PGP SIGNATURE-----


iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmHzMQoXHHNpcnRAYXJ1
YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtmpvgf/TDRt74e4Pu1zQEg7SyadmqLt
+A1bHsFjc0c+zn/l18cLLgK6oGb53S+tzbHlzFUg5pA7OBPJ7pMAabUSkqQf5Tru
QffYOSWCkyDRsJ2EQovMcL/peUIcbHwx/k4lT4fjgkl3YWu0VU0NSd1R/iuBYze+
ONKWwCOMlDk/FugCjIyncg4Bj5bToNVYe9QC+mnywOiIhcL7ned97wMoXsd0QsFm
I8W5b/OgLrcZEM2rUNuaBYBjO6qHAZKcoP74a5z/2aSt5nZ7JN7Pl8zQqdQHpBOn
iyFEgr3ib6KKvrBfgpu46RbiiqiK1NFm5P2PJpcH1c/RxPeYg5kuBdoMc3pv7A==
=A6ZS
-----END PGP SIGNATURE-----

<
>