HPE Aruba Networking AOS-CX 9300 Switch Series Port ACL Bypass Vulnerability

A vulnerability exists in the AOS-CX software for the HPE Aruba Networking CX 9300 Switch Series, specifically in versions AOS-CX 10.14.xxxx (all patches) and AOS-CX 10.15.xxxx (10.15.1000 and below). This vulnerability allows traffic originating from the CX 9300 switches to bypass Access Control List (ACL) rules on routed ports during egress, leading to improper enforcement of port ACLs. Consequently, this could result in unauthorized traffic flow and breaches of security policies. It is important to note that egress VLAN ACLs and Routed VLAN ACLs are not impacted by this issue.

Impact

Exploitation of this vulnerability could cause port ACLs to be incorrectly applied, allowing unauthorized traffic to flow through routed ports on CX 9300 switches, thereby violating established security policies.

Remediation

To address this vulnerability, HPE Aruba Networking CX 9300 customers should upgrade to AOS-CX 10.15.1005 or higher. For versions 10.14.xxxx, all versions are affected, while for 10.15.xxxx, only versions 10.15.1000 and below are impacted. The updated software can be downloaded from the HPE Networking Support Portal.