ArubaOS-Switch Switches have been found to contain multiple vulnerabilities, including Stored Cross-site Scripting (Stored XSS), Denial of Service (DoS), and Memory Corruption issues.
Aruba, the owner of ArubaOS-Switch and a subsidiary of Hewlett Packard Enterprise, has taken steps to address these vulnerabilities and has released a security advisory. ArubaOS-Switch allows centralized network management and is part of Aruba Networks’ product lineup.
CVE-2023-39266: Unauthenticated Stored Cross-Site Scripting This vulnerability affects the web management interface of ArubaOS-Switch, potentially enabling unauthenticated attackers to execute Stored XSS attacks. The exploitation of this vulnerability could permit malicious script execution on affected interfaces, with a CVSS score of 8.3 (High).
CVE-2023-39267: Authenticated Denial Of Service Vulnerability The Command Line Interface (CLI) of ArubaOS-Switch is susceptible to an authenticated remote code execution, leading to a Denial-of-Service scenario. This vulnerability has a CVSS score of 6.6 (Medium).
CVE-2023-39268: Memory Corruption Vulnerability Attackers could exploit this vulnerability by sending specially crafted packets to the ArubaOS-Switch, potentially resulting in unauthenticated remote code execution. This vulnerability stems from memory corruption issues within the ArubaOS-Switch, with a CVSS score of 4.5 (Medium).
Affected Products & Fixed In Version
The affected products include HPE Aruba Networking Switch Models,
- Aruba 5400R Series Switches
- Aruba 3810 Series Switches
- Aruba 2920 Series Switches
- Aruba 2930F Series Switches
- Aruba 2930M Series Switches
- Aruba 2530 Series Switches
- Aruba 2540 Series Switches
Aruba Networks’ advisory recommends upgrading to version KB/WC/YA/YB/YC.16.11.0013 or higher to address these vulnerabilities. They also suggest implementing workarounds such as restricting CLI and web-based management interfaces to dedicated layer 2 segments/VLANs or controlling them with firewall policies at layer 3 and above to minimize the risk of exploitation.
One of the vulnerabilities (CVE-2023-39266) has been publicly disclosed along with a Proof-of-Concept, accessible here. Users of these products are strongly advised to update to the latest version to mitigate these vulnerabilities and prevent potential exploitation.