Network equipment maker Aruba, a subsidiary of Hewlett-Packard Enterprise, has warned of several security vulnerabilities in the firmware AOS-CX of the company’s wired switches. For example, registered users can run code with elevated privileges and gain full control over the affected device.
injection order
On the command line, authenticated attackers can use vulnerabilities to inject commands run with elevated privileges into the operating system, causing it to be completely compromised (CVE-2021-41000, CVSS) 8.8risk High) When exchanging Diffie–Hellman keys, attackers can cause a denial of service, as a so-called de(HE)eter attack is possible – the manipulated transferred values lead to excessive computation and, as a result, paralyzed devices (CVEs). – 2002-2001, CVSS 7.5, High,
Another vulnerability could allow authenticated attackers to access information in plain text of Web-based management of switches without authorization, thereby exposing the network infrastructure, which could lead to further compromise (CVE-2021 -3712, CVSS 7.4, High) In addition, registered users can use manipulated scripts for the Network Analytics Engine (NAE) to execute arbitrary commands in the operating system and thus take full control of the switch (CVE-2021-4001, CVSS 7.2, High,
Unauthorized attackers can exploit cross-site scripting vulnerabilities to inject arbitrary code running into web browsers (CVE-2021-41003, CVSS 6.1, medium) In addition, the private keys for X.509 certificates can be recovered due to vulnerabilities (multiple CVEs, CVSSs) 5.9, medium) The last vulnerability described affects the command line, jeopardizing the integrity of critical system files through a path traversal vulnerability. Attackers can disable the switch or alter sensitive information (CVE-2021-41002, CVSS 5.5, medium,
affected version
Vulnerabilities concern noise security information aruba-switch 4100i, 6100, 6200, 6300, 6400, 8320, 8325, 8360 And 8400, have weak firmware versions 10.06.0170, 10.07.0050, 08/10/1030 And 10.09.0002 As well as earlier versions. Aruba points out that the errors may also be contained in firmware versions no longer supported in 10.05 and older, but this was not checked.
The gaps are closed in firmware versions 10.06.0180, 10.07.0061, 10.08.1040 and 10.09.0010 and newer. If you’re still running AOS-CX 10.05.xxxx or older firmware, Aruba recommends updating to at least version 10.06.0180. IT managers should use familiar methods to download available firmware updates and install them on the Switch as quickly as possible.
(DMK)
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.
