Everything Instant On

 View Only

Faulty OpenSSL Handling of Certificates Containing Elliptic Curve Public Keys Leading to Denial of Service

  • 1.  Faulty OpenSSL Handling of Certificates Containing Elliptic Curve Public Keys Leading to Denial of Service

    Posted 07-21-2022 03:30 PM
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Aruba Product Security Advisory
    ===============================
    Advisory ID: ARUBA-PSA-2022-009
    CVE: CVE-2022-0778
    Publication Date: 2022-May-04
    Last Update: 2022-Jul-21
    Status: Confirmed
    Severity: High
    Revision: 3


    Title
    =====
    Faulty OpenSSL Handling of Certificates Containing Elliptic Curve
    Public Keys Leading to Denial of Service


    Overview
    ========
    A CVE has been disclosed that involves the faulty handling of
    certain certificates by OpenSSL. This CVE impacts multiple Aruba
    products.

    Details can be found at:
    https://nvd.nist.gov/vuln/detail/CVE-2022-0778


    Affected Products
    =================
    - AirWave Management Platform
    - 8.2.14.0 and below

    - Aruba Analytics and Location Engine
    - 2.2.0.2 and below

    - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)
    - 6.2.0 and below

    - Aruba Central On-Premises
    - 2.5.4.x and below

    - Aruba ClearPass Policy Manager
    - 6.10.4 and below
    - 6.9.10 and below
    - 6.8.9 without Hotfix for Q1 2022 Security issues

    - ArubaOS-CX Switches
    - 10.09.1010 and below
    - 10.08.1050 and below
    - 10.07.0070 and below
    - 10.06.0190 and below

    - ArubaOS Wi-Fi Controllers and Gateways
    - ArubaOS SD-WAN Gateways
    - ArubaOS 6.5.x: 6.5.4.23 and below
    - ArubaOS 8.6.x: 8.6.0.18 and below
    - ArubaOS 8.7.x: 8.7.1.9 and below
    - ArubaOS 8.10.x: 8.10.0.1 and below
    - ArubaOS 10.3.x: 10.3.1.0 and below
    - SDWAN 2.X: 8.7.0.0-2.3.0.7 and below

    - Aruba IntroSpect
    - All versions
    - Aruba will not be issuing patches for this issue.
    Please see the workaround section below for suggested workarounds.

    - Aruba InstantOS / Aruba Access Points running ArubaOS 10
    - Aruba InstantOS 8.6.x: 8.6.0.18 and below
    - Aruba InstantOS 8.7.x: 8.7.1.9 and below
    - Aruba InstantOS 8.10.x: 8.10.0.1 and below
    - ArubaOS 10.3.x: 10.3.1.0 and below
    - Please note that 6.x is not affected

    - Aruba Instant On switches
    - models 1830, 1930 and 1960 with locally managed firmware
    - 2.5.0.x and below

    - Aruba NetEdit
    - 2.3.0 and below

    - Aruba EdgeConnect Enterprise
    - ECOS 9.1.1.3 and below
    - ECOS 9.0.6.0 and below
    - ECOS 8.3.6.0 and below
    - Impact of this vulnerability on ECOS is very low.

    - Aruba EdgeConnect Enterprise Orchestrator (on prem)
    - See resolution section for details


    Unaffected Products
    ===================
    - ArubaOS-S Switches
    - Aruba User Experience Insight (UXI)
    - Aruba VIA Client
    - Aruba EdgeConnect Enterprise Orchestrator-as-a-Service
    - Aruba EdgeConnect Enterprise Orchestrator-SP
    - Aruba EdgeConnect Enterprise Orchestrator Global Enterprise


    Other Aruba products not listed above are also not known to be
    affected by the vulnerability.


    Details
    =======
    A vulnerability has been identified in a commonly used
    component in multiple Aruba products. This vulnerability allows
    attackers to use specially crafted certificates resulting in
    denial of service.

    Details can be found at:
    https://nvd.nist.gov/vuln/detail/CVE-2022-0778

    Internal references: ATLCP-184, ATLAW-182, ATLWL-281,
    ATLWL-282, ATLWL-283, ATLWL-284,
    ATLWL-285, ATLWL-286, ATLWL-287,
    ATLWL-288, ATLWL-289, ATLAX-56,
    ATLAX-57, ATLAX-58, ATLWL-290,
    ATLWL-291, ATLWL-310
    Severity: High
    CVSSv3.1 Overall Score: 7.5
    CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Aruba Threat Labs analyzed and tested this vulnerability in the
    products using the affected component. What has been found is
    that exploitation of this vulnerability is not straightforward
    and dependent upon many factors that an attacker may not be
    able to control.

    Aruba has chosen to keep the NVD provided severity score as a
    reference. The impact on products using the affected
    component is very low based on ongoing testing.


    Resolution
    ==========
    - AirWave Management Platform
    - 8.2.14.1 and above

    - Aruba Analytics and Location Engine
    - 2.2.0.3 and above
    Release ETA - late July 2022

    - Aruba Fabric Composer (AFC) and Plexxi Composable Fabric Manager (CFM)
    - 6.2.1 and above

    - Aruba Central On-Premises
    - 2.5.5.0 and above
    Release ETA - late July 2022

    - Aruba ClearPass Policy Manager
    - 6.10.5 and above
    - 6.9.11 and above
    - 6.8.9 with Hotfix for Q1 2022 Security issues applied

    - ArubaOS-CX Switches
    - 10.09.1020 and above
    - 10.08.1060 and above
    - 10.07.0080 and above
    - 10.06.0200 and above

    - ArubaOS Wi-Fi Controllers and Gateways
    - ArubaOS SD-WAN Gateways
    - ArubaOS 6.5.x: 6.5.4.24 and above
    Release ETA - late August 2022
    - ArubaOS 8.6.x: 8.6.0.19 and above
    Release ETA - early September 2022
    - ArubaOS 8.7.x: 8.7.1.10 and above
    Release ETA - late July 2022
    - ArubaOS 8.10.x: 8.10.0.2 and above
    - ArubaOS 10.3.x: 10.3.1.1 and above
    Release ETA - early August 2022
    - SDWAN 2.3: 8.7.0.0-2.3.0.8 and above
    Release ETA - late July 2022

    - Aruba InstantOS / Aruba Access Points running ArubaOS 10
    - Aruba InstantOS 8.6.x: 8.6.0.19 and above
    Release ETA - early September 2022
    - Aruba InstantOS 8.7.x: 8.7.1.10 and above
    Release ETA - late July 2022
    - Aruba InstantOS 8.10.x: 8.10.0.2 and above
    - ArubaOS 10.3.x: 10.3.1.1 and above
    Release ETA - early August 2022

    - Aruba Instant On switches
    - models 1830, 1930 and 1960 with locally managed firmware
    - 2.6.0 and above
    - firmware may be found at https://community.arubainstanton.com/support/documentation/support-documentation-list?CommunityKey=26af222f-d9da-43cb-a665-cba6c273756c

    - Aruba NetEdit
    - 2.4.0 and above

    - Aruba EdgeConnect Enterprise
    - ECOS 9.1.1.4 and above
    - ECOS 9.0.7.0 and above
    - ECOS 8.3.7.0 and above
    - Impact of this vulnerability on ECOS is very low.
    Fixes will be applied only to the ECOS versions
    that are listed above due to the minimal risk involved.

    - Aruba EdgeConnect Enterprise Orchestrator (on prem)
    - Customers are suggested to run ‘yum update openssl’
    from the administrative command line to address this
    vulnerability; to verify if the patch has been applied,
    run “rpm -q --info openssl”. If the output says
    “25.el7_9” as part of the version, the patch is applied.
    - OR -
    - Upgrading (from 9.0.6 or later) to any newer Orchestrator
    version automatically updates expat and resolves this
    vulnerability.
    - New virtual machine images already have the fix for this
    vulnerability.
    - Customers using Fedora must upgrade to CentOS for support
    of security updates. Please contact Customer Support for
    the procedure

    Aruba does not evaluate or patch product versions that have
    reached their End of Support (EoS) milestone. For more
    information about Aruba's End of Support policy visit:
    https://www.arubanetworks.com/support-services/end-of-life/


    Workaround
    ==========
    To minimize the likelihood of an attacker exploiting this
    vulnerability, Aruba recommends that the CLI and web-based
    management interfaces be restricted to a dedicated layer 2
    segment/VLAN and/or controlled by firewall policies at layer 3
    and above


    Exploitation and Public Discussion
    ==================================
    These vulnerabilities are being widely discussed in public.
    Aruba is not aware of any exploitation tools or techniques that
    specifically target Aruba products.


    Revision History
    ================
    Revision 1 / 2022-May-04 / Initial release
    Revision 2 / 2022-Jun-01 / AOS-S investigation completed
    and marked as unaffected. AOS-CX
    information added. Aruba UXI
    investigation completed and marked
    as unaffected. EdgeConnect and
    Orchestrator information added.
    NetEdit information added. ClearPass
    Policy Manager information added. End
    of Support information added.
    Revision 3 / 2022-Jul-21 / Aruba Location Engine information added.
    Aruba InstantOn information added.
    Aruba Central On-Premises information added.
    Aruba Introspect information added.
    Aruba InstantOS and InstantOS AP
    information added
    ArubaOS Wi-Fi Controllers and Gateways
    information added
    ArubaOS SD-WAN Gateways information added
    Removed products under investigation section
    Marked status as confirmed


    Aruba SIRT Security Procedures
    ==============================
    Complete information on reporting security vulnerabilities in
    Aruba Networks products and obtaining assistance with security
    incidents is available at:

    https://www.arubanetworks.com/support-services/security-bulletins/


    For reporting *NEW* Aruba Networks security issues, email can
    be sent to aruba-sirt(at)hpe.com. For sensitive information we
    encourage the use of PGP encryption. Our public keys can be found
    at:

    https://www.arubanetworks.com/support-services/security-bulletins/


    (c) Copyright 2022 by Aruba, a Hewlett Packard Enterprise
    company. This advisory may be redistributed freely after the
    release date given at the top of the text, provided that the
    redistributed copies are complete and unmodified, including all
    data and version information.
    -----BEGIN PGP SIGNATURE-----

    iQFLBAEBCAA1FiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmLVYP8XHHNpcnRAYXJ1
    YmFuZXR3b3Jrcy5jb20ACgkQmP4JykWFhtkAhAf9G56YHe8WcQ8fXjvUnLUS9kUO
    IqSigVjok2vs+FfWLg0QQ73gyv9oKYEuUFkATgw8SHVWhJJkGlXlDVJc0H0cvcqX
    DkIUAX300wBzKgT4Wz1EFXTBB5RNt1oBEdih4eTZFgjlntY6KTE+NGOgX5aSuGPa
    vycxOd9T7peCQK1f5kP3ZpUvgnC5WmSsu2N+GUuKI0Wmc7Ow/enBcZMysn/RZrWO
    nw3N3uS/Ry08MzozUTfKKh9ONWLl6SLdN2kUL9x7ThKAOB/bd2f8jHn7niHApfEL
    iXwXxkWOVVnKrYgDvG73OeK9WpQw7cL4q7NJv1kSLbCHsIadesYD8wozo32qBA==
    =iynw
    -----END PGP SIGNATURE-----

    ------------------------------
    Aruba Instant On Communications
    ------------------------------