FOCUS FRIDAY: Addressing the HPE Aruba Networking Devices and Tinyproxy Vulnerabilities: A TPRM Approach

Welcome to this week’s Focus Friday, where we delve into critical vulnerabilities that are reshaping Third-Party Risk Management (TPRM) practices. Today, we spotlight two high-profile issues: the Aruba products and Tinyproxy incidents. Our discussion will not only cover the specifics of these incidents but also illustrate how Black Kite’s FocusTags™ can drive proactive risk management strategies.

Filtered view of companies with an ArubaOS
FocusTagTM on the Black Kite platform.

CVE-2024-26304 in ArubaOS: A TPRM Perspective

What is the CVE-2024-26304 vulnerability?

CVE-2024-26304 is a critical vulnerability impacting Hewlett Packard Enterprise (HPE)’s devices running ArubaOS. It allows remote attackers to potentially seize control of the device without needing any prior authentication. A successful attack could grant the attacker the ability to execute arbitrary code with privileged user permissions on the underlying operating system. Exploiting the buffer overflow vulnerabilities discussed earlier, threat actors can execute unauthorized code with elevated privileges on the host operating system by sending carefully crafted packets to the Process Application Programming Interface (PAPI) UDP port (8211). This manipulation allows malicious actors to take advantage of the vulnerability, posing a significant threat. It affects certain versions of HPE Aruba products and ArubaOS software, as detailed in the vulnerability scope section.

Technical Details

CVE-2024-26304 is a critical vulnerability in HPE Aruba devices that leverage the L2/L3 Management service. This service is crucial for managing network functionalities on the device. The vulnerability itself is a buffer overflow, which means it can be exploited by attackers to inject malicious code. The PAPI protocol, Aruba’s proprietary protocol for access point management, is the target for delivering the exploit. With a CVSSv3 score of 9.8 (Critical), a successful exploit could grant an attacker complete control over the affected device, potentially including unauthorized access, data theft, or even disrupting network operations.

When examining the exploit code, we can make the exploitation process more understandable by categorizing it into four main headings.

1. RCE Vulnerability Targeted:
   
   The exploit code targets the RCE (Remote Code Execution) vulnerability in Aruba devices, allowing an attacker to execute code on the target system.
2. Technical Workflow:
   
   The code attempts to exploit the vulnerability by sending a request to a specific URL on the target Aruba device. It particularly manipulates requests made to the “oauth/redacted” path to exploit the vulnerability.
3. Exploitation Method:
   
   Special header information is provided to manipulate requests made to a specific target URL, utilizing the vulnerability present in the target system. It attempts to dump and process the memory of the target system to capture session tokens.
4. Objective of Unauthorized Access:
   
   It aims to obtain unauthorized access to the target system by utilizing the captured session tokens. This allows the attacker to inject desired code into the target system and access sensitive information.

What is the scope of CVE-2024-26304?

HPE servers that use the VFS functionality are susceptible, though the specific versions impacted are still being identified by security researchers. As per the vendor advisory, the following Aruba Networking products and software versions are vulnerable as of April 30, 2024:

Affected Products and Versions

Outdated ArubaOS and SD-WAN software
versions affected by unpatched vulnerabilities
are listed in this advisory.

These vulnerable products are also affected
by CVE-2024-26305, CVE-2024-33511,
and CVE-2024-33512.

Timeline for Aruba Vulnerabilities:

April 30, 2024 (Tuesday)

• The HPE Aruba Networking Product Security Advisory was published for vulnerabilities.

May 1, 2024 (Wednesday)

• Vulnerability has started to be shared as an announcement on some websites.

May 3, 2024 (Friday) 

• The vulnerability was analyzed and the FocusTag^TM processing was completed by Black Kite’s Research Team.

May 5, 2024 (Sunday)

• The vulnerability is publicly published on NVD (National Vulnerability Database) and assigned the CVE-ID CVE-2024-26304.
• POC Exploit code was published on github.

TPRM Implications

For Third-Party Risk Management (TPRM) professionals, addressing the critical vulnerability CVE-2024-26304 is paramount. This flaw in HPE Aruba devices exposes them to unauthenticated remote code execution (RCE) attacks. Effective TPRM practices can safeguard your organization from such downstream risks.

TPRM professionals should take the following steps to mitigate risks associated with CVE-2024-26304:

• Immediate communication with HPE Aruba to verify if they have patched their affected products.
• Urgent patching by applying the latest security updates from HPE Aruba to address CVE-2024-26304 on your HPE Aruba devices, continuous monitoring of your systems for signs of exploitation attempts or new vulnerabilities.
• Implementing enhanced security protocols such as stricter access controls and network segmentation to minimize the attack surface.

Engaging with Vendors

When assessing vendor security in light of CVE-2024-26304, consider asking:

1. Have you released patches to address CVE-2024-26304 for affected ArubaOS versions?
2. How are you monitoring your infrastructure for potential exploitation of this vulnerability?
3. What additional security measures have you implemented following the release of the patches?
4. Can you share recent security audit results to demonstrate your response to this vulnerability?

These inquiries will help you assess HPE Aruba’s security posture and make informed decisions regarding the associated risks. This approach not only addresses the immediate threat of these vulnerabilities but also strengthens your overall cybersecurity resilience against future vulnerabilities.

How can vendors detect and remediate CVE-2024-26304?

For ArubaOS 8.x, you can prevent exploitation of this vulnerability by enabling the Enhanced PAPI Security feature with a non-default key. Regarding ArubaOS 10.x, this issue is not applicable; upgrading to one of the recommended ArubaOS 10.x versions will resolve the other vulnerabilities mentioned in this advisory. For configuration assistance, please reach out to HPE Services – Aruba Networking TAC.

Remediation Recommendations:

• Update to fully fixed versions.
• Avoid exposing PAPI protocol directly to the internet.
• End-of-Maintenance ArubaOS and SD-WAN software versions are vulnerable, as noted in the HPE Aruba security advisory, and won’t be patched. It’s strongly advised to promptly update to the latest versions if you’re using these versions.
• To mitigate, enable Enhanced PAPI Security with a non-default key in ArubaOS 8.x, though this won’t work for ArubaOS 10.x. Upgrading to recommended ArubaOS 10.x versions will address other vulnerabilities. For help with configuration, contact HPE Services.
• Monitor network traffic for any anomalies.

Mitigating Vendor Risk of CVE-2024-26304 with Black Kite’s FocusTags™

On May 3, 2024, a critical vulnerability identified as CVE-2024-26304 was disclosed on the Black Kite platform. This highlights the potential risks associated with unpatched HPE Aruba devices and underscores the importance of proactive security measures to safeguard critical network infrastructure components.

TPRM specialists can leverage insights from the CVE-2024-26304 FocusTagTM to assess and prioritize risks diligently, fortifying
their defenses effectively.

CVE-2023-49606 in Tinyproxy: A TPRM Perspective

What is the CVE-2023-49606 vulnerability?

CVE-2023-49606 is a critical vulnerability in Tinyproxy, a popular HTTP/HTTPS proxy tool. It affects versions 1.10.0 and 1.11.1, including the latest version. This vulnerability is rated 9.8 on the CVSS scoring system, indicating a severe risk. The vulnerability exists in the way Tinyproxy parses HTTP connection headers. A specially crafted HTTP header can cause the software to reuse freed memory, leading to memory corruption and potentially allowing an attacker to execute arbitrary code on the system running Tinyproxy.

Technical Details

A critical vulnerability exists in Tinyproxy’s code that handles HTTP headers, classified as CVE-2023-49606. This weakness stems from memory management issues during the removal of specific headers, like “Connection” and “Proxy-Connection.” While the code intends to free up memory after removing these headers, it fails to do so properly. This flaw creates an opportunity for attackers to exploit the vulnerability by sending malicious HTTP requests with carefully crafted headers. By manipulating these specific headers, attackers can trick Tinyproxy into reusing the freed memory in an unintended way, which can lead to remote code execution and compromise the system.

The HTTP specification states that the “Connection” header from the client contains a list of headers to be removed by a proxy in the final request. Tinyproxy adheres to this by utilizing the “remove_connection_headers()” function, which removes these specified headers from the request before forwarding it to the remote server. The proxy then sends the server’s response back to the client.

The code operates by first examining the hashofheaders, where the client’s HTTP headers are stored. It specifically targets the Connection and Proxy-Connection headers to retrieve their values, which represent a list of headers to be removed. These headers are then iterated through, and each one is removed from hashofheaders. Finally, the actual Connection or Proxy-Connection header is removed.

remove_connection_headers() function in Tinyproxy

The orderedmap_remove() function calculates the hash of the provided key, retrieves the pointer to the corresponding value using this hash, and frees the memory occupied by the value. Then, it deletes the key itself from the hashmap.

orderedmap_remove() function is where the removal process
described earlier is implemented.

The vulnerability arises when a client sends the header “Connection: Connection”, with the values distinguished as ConnectionA and ConnectionB. The code retrieves the value for ConnectionA (1), which is ConnectionB, and attempts to remove it using orderedmap_remove() (3). However, since the hash of ConnectionB matches that of ConnectionA (5), freeing the pointer for ConnectionB (6) leads to a Use-After-Free scenario when the stale pointer is reused (7). This vulnerability can result in memory corruption and potential code execution privileges. While a similar issue can occur with the Proxy-Connection header, the remove_connection_headers() function exits if the Connection header doesn’t exist (2). Thus, to reproduce the issue, the client can send an alternative header like “Proxy-Connection: Proxy-Connection”.

The tinyproxy.config file configures Tinyproxy to use port 4444 and listen on the localhost address (127.0.0.1), enabling an exploitation scenario to be executed:

The tinyproxy.config file specifies that Tinyproxy listens
for network traffic on port 4444 on the localhost.

Manipulating the HTTP header via “Connection:”

Manipulating the HTTP header via “Proxy-Connection:“

Timeline for Tinyproxy Vulnerability:

May 1, 2024 (Wednesday) 

• The vulnerability is publicly published on NVD (National Vulnerability Database) and assigned the CVE-ID CVE-2023-49606
• Talos published a Vulnerability Report.

May 6, 2024 (Monday) 

• The vulnerability has started to be shared through certain news sources.

May 7, 2024 (Tuesday) 

• The vulnerability was analyzed and the FocusTag^TM processing was completed by Black Kite’s Research Team.

TPRM Implications

Third-Party Risk Management (TPRM) professionals should prioritize addressing the critical vulnerability CVE-2023-49606. This flaw in Tinyproxy software poses a severe risk as it allows attackers to potentially execute malicious code remotely on vulnerable systems. Effective TPRM practices are crucial to safeguard your organization from such downstream risks.

Here’s what TPRM professionals can do to mitigate risks associated with CVE-2023-49606:

• Inventory Assessment: Identify and locate all systems within your organization that use Tinyproxy. This can involve collaborating with IT teams to ensure a comprehensive understanding of your network infrastructure.
• Vendor Engagement: Reach out to Tinyproxy developers to inquire about the availability of patches for CVE-2023-49606. If a patch isn’t available yet, ask about any workarounds or mitigations that can be implemented while a permanent fix is developed.
• Risk Mitigation: Prioritize patching vulnerable Tinyproxy instances as soon as patches become available. If patching isn’t feasible immediately, consider isolating vulnerable systems to minimize the attack surface and prevent them from accessing critical resources on your network.
• Communication and Monitoring: Communicate the risks associated with CVE-2023-49606 to relevant stakeholders within your organization, including IT security teams and system administrators. Continuously monitor your systems for signs of suspicious activity or exploitation attempts.

By following these steps, TPRM professionals can effectively mitigate the risks associated with CVE-2023-49606 and safeguard their organization from potential attacks. This proactive approach strengthens your overall cybersecurity posture and ensures a more resilient defense against future vulnerabilities.

Engaging with Vendors

When assessing Tinyproxy’s response to the CVE-2023-49606 vulnerability, consider posing these questions:

• Have you released patches to address CVE-2023-49606 for affected Tinyproxy versions?
• Are there any workarounds or mitigations available while a patch is being developed?
• How are you communicating this vulnerability to Tinyproxy users?
• What is the recommended upgrade path for vulnerable systems?
• When can we expect a fix to be released?

By asking these questions, you can gain valuable insight into Tinyproxy’s efforts to address this vulnerability and make informed decisions about how to mitigate the risks to your systems. This proactive approach will not only safeguard your systems from immediate threats but also bolster your overall cybersecurity posture in the face of future vulnerabilities.

How can vendors detect and remediate CVE-2023-49606?

There is currently no publicly available information on specific tools or techniques Tinyproxy developers can use to detect CVE-2023-49606 within their codebase. However, users can employ some general code auditing practices:

1. Manual Code Review: Conduct a comprehensive manual code review of the functions handling HTTP headers, especially those related to “Connection” and “Proxy-Connection” headers, to uncover memory management issues that may lead to vulnerabilities.
2. Static Code Analysis Tools: Employ static code analysis tools to identify potential memory leaks or use-after-free vulnerabilities in the code. These tools can serve as an initial step in identifying areas requiring further investigation.
3. Identify Tinyproxy versions: They can scan their systems to identify machines running Tinyproxy versions 1.10.0 and 1.11.1. These are the only known vulnerable versions.
4. Check for specific flaw: For confirmed Tinyproxy installations, vendors can look for signs of the memory corruption caused by the vulnerability. This might involve analyzing logs for abnormal program termination or unexpected behavior.

Here are some recommendations to address the vulnerability until a patch becomes available:

1. Consider disabling Tinyproxy until the patch becomes available.
2. Use strong passwords and change default credentials.
3. Implement firewall rules to restrict network traffic.
4. As a temporary solution, modify the code snippet provided in the references section of the GitHub link. This approach directly utilizes values from a key/value store without duplicating them, helping to prevent memory allocation issues. Ensure it’s implemented after access checks and authentication, suitable for basic authentication and trusted hosts.
5. Tinyproxy developers should implement a fix that effectively addresses the memory management issues causing the vulnerability. Refactor Code for Memory Management: Restructure the code responsible for handling “Connection” and “Proxy-Connection” headers to ensure proper memory allocation and deallocation. This may involve utilizing techniques such as smart pointers or memory management libraries to mitigate manual memory management errors.
6. Monitor network traffic for any unusual activities.

Mitigating Vendor Risk of CVE-2023-49606 with Black Kite’s FocusTags™

On May 7, 2024, a critical vulnerability identified as CVE-2023-49606 was disclosed on the Black Kite platform. This highlights the potential risks associated with unpatched Tinyproxy software and underscores the importance of proactive security measures to safeguard critical network infrastructure components.

Black Kite’s Tinyproxy FocusTagTM details critical insights on the
event for TPRM professionals.

Enhancing TPRM Capabilities with Black Kite’s FocusTags™

In today’s dynamic cybersecurity landscape, effective Third-Party Risk Management (TPRM) is crucial. Black Kite’s FocusTags™ for ArubaOS and Tinyproxy specifically address the unique challenges posed by these incidents. Here’s how these tags are critical in managing third-party risks:

• Immediate Threat Identification: Rapidly pinpoints vendors affected by the Aruba devices or Tinyproxy vulnerability, enabling swift mitigation actions.
• Risk Prioritization: Assists in categorizing vendor risks, focusing on those with the highest exposure due to these specific incidents.
• Strategic Vendor Interactions: Facilitates detailed discussions with vendors about their exposure to Aruba devices or Tinyproxy vulnerability, ensuring they understand the risks and mitigation strategies.
• Comprehensive Security Enhancement: Provides insights into the cascading impacts of the Tinyproxy and the critical vulnerabilities of Aruba devices, helping to bolster overall security posture and resilience.

With these FocusTags™, Black Kite translates intricate threat data into actionable intelligence, empowering TPRM professionals to proactively manage and mitigate risks associated with specific high-profile incidents.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

Focus Tags^TM in the Last 30 days

• CrushFTP VFS: CVE-2024-4040, a Server Side Template Injection Vulnerability in CrushFTP
• Sisense Client
• FortiClient EMS: CVE-2023-48788, SQL Injection Vulnerability in Fortinet’s FortiClient Endpoint Management Server
• FortiOS SSL VPN: CVE-2024-21762, A Out-of-Bounds Write Vulnerability in FortiOS [Tag updated]
• Outlook RCE: CVE-2023-36439, RCE Vulnerability in Microsoft Exchange Server
• Change Healthcare Client
• JetBrains TeamCity: CVE-2023-42793, Authentication Bypass in JetBrains TeamCity CI/CD Servers; CVE-2024-27198, Authentication Bypass Vulnerability [Tag Updated]
• ScreenConnect:CVE-2024-1709, Authentication Bypass Vulnerability
• Cisco ASA [Suspected]CVE-2020-3259, Information Disclosure Vulnerability
• Exchange Server:CVE-2024-21410,Privilege Elevation Vulnerability
• QNAP QTS:CVE-2023-47218, CVE-2023-50358, OS Command Injection Vulnerability
• Symantec MG [Suspected]:CVE-2024-23615, CVE-2024-23614, Buffer Overflow Vulnerability (Remote Code Execution)
• FortiOS SSL VPN [Suspected]:CVE-2024-22024, An Out-of-Bounds Write Vulnerability
• RoundCube [Suspected] :CVE-2023-43770, Stored-XSS Vulnerability [Updated]
• Citrix ADC/Gateway:CVE-2023-6549 [Updated], Buffer Overflow Vulnerability
• Ivanti EPMM:CVE-2023-35082 [Updated], Authentication Bypass Vulnerability
• GoAnywhere [Suspected]:CVE-2024-0204, Authentication Bypass Vulnerability
• Redis RCE: CVE-2023-41056, Remote Code Execution Vulnerability
• Ivanti ICS: CVE-2024-21887, Command Injection Vulnerability, CVE-2023-46805, Authentication Bypass Vulnerability
• Cacti SQLi: CVE-2023-51448, Blind SQL Injection (SQLi) Vulnerability

References:

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt

https://nvd.nist.gov/vuln/detail/CVE-2024-26304

https://github.com/Roud-Roud-Agency/CVE-2024-26304-RCE-exploits

https://nvd.nist.gov/vuln/detail/CVE-2024-26304

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889

https://github.com/tinyproxy/tinyproxy/commit/12a8484265f7b00591293da492bb3c9987001956

https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html

https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-four-critical-rce-flaws-in-arubaos