—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in HPE Aruba Products

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: High

 

Software Affected:

 

Rsync daemon

rsync versions 3.2.7 and 3.3.0

·     HPE Aruba Networking AOS-CX Software Version(s):

o    AOS-CX 10.16.xxxx: 10.16.1000 and below

o    AOS-CX 10.15.xxxx: 10.15.1020 and below

o    AOS-CX 10.14.xxxx: 10.14.1050 and below

o    AOS-CX 10.13.xxxx: 10.13.1090 and below

o    AOS-CX 10.10.xxxx: 10.10.1160 and below

 

Overview:

Multiple vulnerabilities have been reported in Rsync Daemon that could be exploited by an unauthenticated attacker to gain Remote Code Execution, Directory Traversal, and Sensitive Information Disclosure on the targeted system.

 

Target Audience:

System & Security Administrators,Internet Service Providers (ISPs) & Hosting Providers,DevOps Engineers & IT Professionals,Developers & General Linux/Unix Users.

Risk Assessment:

Critical Remote Code Execution (RCE) flaw that is unauthenticated and remote, combined with multiple client-side attack vectors that could compromise the systems

Impact Assessment:

There are high risks of Confidentiality, Integrity, and Availability

 

Description:

 

The HPE Aruba Networking EdgeConnect SD-WAN Gateways are advanced edge devices designed to deliver secure, high-performance, and intelligent software-defined WAN (SD-WAN) connectivity.

 

 

1.   Heap-based Buffer Overflow Vulnerability  CVE-2024-12084

 

A  Vulnerability exists in Rsync Daemon due to improper handling of attacker-controlled checksum lengths (s2length).  

 

Successfully exploitation of this vulnerability could allow an attacker can write out of bounds in the sum2 buffer, When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes).

 

2.   Information Disclosure Vulnerability  CVE-2024-12085

 

A  Vulnerability exists in Rsync Daemon which could be triggered when rsync compares file checksums.

 

Successfully exploitation of this vulnerability could allow an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.

 

3.   Arbitrary File Read Vulnerability  CVE-2024-12086

 

A  Vulnerability exists in Rsync Daemon which could allow a server to enumerate the contents of an arbitrary file from the client’s machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server.

 

Successfully exploitation of this vulnerability could allow an attacker to sending specially constructed checksum values for arbitrary files, may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.

4. Path Traversal Vulnerability CVE-2024-12087

A  Vulnerability exists in Rsync Daemon due to improper handling of symbolic links when the –inc-recursive option is used.

 

Successfully exploitation of this vulnerability could allow an attacker in malicious server to write files outside of the client’s intended destination directory.

 

5. Path Traversal Bypass Vulnerability CVE-2024-12088

A  Vulnerability exists in Rsync Daemon due to -safe-links option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it.

 

Successfully exploitation of this vulnerability could allow an attacker lead to arbitrary file write outside the desired directory.

 

6. Race Condition Vulnerability  CVE-2024-12747

 

A  Vulnerability exists in Rsync Daemon could allow a remote attacker to obtain sensitive information, caused by a race condition in the handling of symbolic links.

 

 

Solution

 

Apply appropriate software updates as mentioned by Security vendor

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04971en_us&docLocale=en_US

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US

 

References:

 

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04971en_us&docLocale=en_US

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US

CVE Name

CVE-2024-12084

CVE-2024-12085

CVE-2024-12086

CVE-2024-12087

CVE-2024-12088

CVE-2024-12747

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkgjB0ACgkQ3jCgcSdc

ys/Ynw//Qu8zbg3iw1UtK/41D+l1ndp06Eyr4JFWqY7ZFkvNk+ccLv7VCk83iU8D

YbPXOx9VvFhgWMYwMRlDdY0LVbXwC9hyyiZv7hCb/MeVQLb8uTIa2fPkHlmH/c1H

49zA87p9lhDWGy4K4tG4C4CAOgHBQMwwrhNlbPcIcZd+91i9OcAFdcGsDXsQu0+Q

bQXSiScnIsFfmPVtrkzV0mdbAyGV0PlICjqd7Ikz4P2cUymiBCsIds5MOkJ5lnG3

ncfmbr0Cq9O0r1SEk+AP14CuNY3wgJZ21hGv2aqF+MDicVFpTpcmujTkTEd8Rg0d

K/4y15HhadstpNZzfB+6hW8/08oOreHnUl8kmriebgdFeg4DBvNGpTJoekQxZ4Bj

gL5WPpKBamoRSLCrKlrxRQ9ns8WRECwgVIIw5Zx65ekp5z4EM5nXG6BwKvu+Mn5T

qLPvk3Xop5+kziaOeVrIz0da6TfVpd1RkTpFjZoX6qlDBrOv8pweKpmyEm/DKZtv

4yJDL3JAYosktEbybEiy+QiH8++u2fsq3TmhjlfiDYx3IuVMmLG0FlzFQhGodedh

avBwgpFSJbjJIagDJvprw0M2K7XLpi876Q+CgSqlBQayrzljgKSxSAro5gixYdH7

FI6shvMdZdoEGI2d34aadhFumskWINyl1ZdpF2pB16X9RPdYn80=

=pVyV

—–END PGP SIGNATURE—–