CVE-2023-3718: Aruba CX Switches Vulnerable to Remote Code Execution
Aruba Networking has released updates for wired switch products running AOS-CX that address a security vulnerability in the command line interface. The vulnerability tracked as CVE-2023-3718 has a CVSS score of 8.8, which is considered to be high.
The list of affected models spans from the CX 10000 series right through to the CX 4100i series. The vulnerability also makes its presence known in the software branch versions AOS-CX 10.11.xxxx: 10.11.1010 and below, and AOS-CX 10.10.xxxx: 10.10.1050 and below. However, older branches, those preceding AOS-CX 10.10.xxxx, have been fortunate enough to escape the clutches of this exploit.
CVE-2023-3718 is an authenticated command injection vulnerability dwelling in the AOS-CX command line interface. In layman’s terms, successful exploitation of this hidden chink in the armor leads to the unregulated execution of arbitrary commands on the underlying operating system. The intruder achieves this exploit as a privileged user on the affected switch, posing a severe threat to the integrity and confidentiality of the underlying operating system on the device running AOS-CX. This vulnerability was discovered and reported by Nick Starke from the Aruba Threat Labs.
To deter this invisible adversary, HPE Aruba Networking prescribes that the CLI and web-based management interfaces be confined to a dedicated layer 2 segment/VLAN. Additional firewall policies at layer 3 and above should control this containment. These security measures reduce the likelihood of a potential breach, creating a formidable labyrinth to stymie the insidious intentions of an attacker.
The resolution to this cybersecurity enigma lies in upgrading the affected switches to one of the AOS-CX branches and versions that have been inoculated against the vulnerabilities described. These include AOS-CX 10.12.xxxx: 10.12.0006 and above, AOS-CX 10.11.xxxx: 10.11.1021 and above, and AOS-CX 10.10.xxxx: 10.10.1060 and above.
We recommend that you upgrade your affected switches to the latest firmware as soon as possible. In the meantime, you can implement the workaround described above to help protect your switches from attack.