A vulnerability exists in the firmware of embedded BLE radios that are part of some Aruba access points. An attacker who is able to exploit the vulnerability could install new, potentially malicious firmware into the AP’s BLE radio and could then gain access to the AP’s console port.
This vulnerability is applicable only if the BLE radio has been enabled in affected access points. The BLE radio is disabled by default. The BLE radio used in the affected APs contains functionality that allows for over-the-air firmware updates. Access to this functionality is protected by a password. Unfortunately, it was discovered that an attacker with access to a software image (e.g. downloaded from the Aruba website), or with access to the AP hardware, could recover the password. With access to the password, an attacker can push malicious firmware updates to the BLE radio wirelessly. There are two consequences of malicious firmware running in the BLE radio: – Features which use the BLE radio for wayfinding or management of BLE beacons could be disrupted. Wayfinding applications could show erroneous position information and administrators could lose the ability to manage BLE beacons. – The BLE radio provides an optional feature called BluConsole. This feature permits access to the AP serial console over BLE. While this feature is enabled/disabled from within ArubaOS by the AP CPU, the AP CPU merely sends an enable/disable message to the BLE radio. Actual enforcement of the feature is performed by the BLE radio itself. Therefore, malicious BLE firmware would have direct access to the AP’s serial console. This could allow an attacker to disrupt settings in the AP’s boot ROM, resulting in potential denial of service. Note: Console access to a running ArubaOS AP software image is password-protected, unless password protection has been explicitly disabled by the administrator. Serial console access would thus provide access only to the boot ROM configuration, not to an AP that has already booted and is running ArubaOS. Gaining access to the boot ROM configuration would require rebooting the access point, typically necessitating physical access to the AP or passively waiting for an AP reboot to occur.
Affected Products ================= - AP-3xx and IAP-3xx series access points - AP-203R - AP-203RP - ArubaOS 6.4.4.x prior to 126.96.36.199 - ArubaOS 6.5.3.x prior to 188.8.131.52 - ArubaOS 6.5.4.x prior to 184.108.40.206 - ArubaOS 8.x prior to 220.127.116.11 - ArubaOS 8.3.x prior to 18.104.22.168
How to resolve this problem?
Upgrade to one of the following software releases. Note that at the time of initial publication, only ArubaOS 22.214.171.124 has been released. Aruba typically prefers to issue security advisories only after updates are made available for all supported branches. Unfortunately, Aruba became aware that news of this vulnerability had been prematurely leaked by one of the other parties involved, which has necessitated early disclosure.
Source: Read more details