CVE-2021-37720 – This CVE allows remote attackers to execute arb... (How to Fix)

Q: What is the severity of CVE-2021-37720?

CVE-2021-37720 has a CVSS score of 7.2 (HIGH). This CVE allows remote attackers to execute arbitrary commands on Aruba SD-WAN and gateway devices running vulnerable ArubaOS versions. Attackers can potentially take full control of affected systems without authentication. Organizations using Aruba SD-WAN software or gateways with unpatched ArubaOS are at risk.

📋 TL;DR

This CVE allows remote attackers to execute arbitrary commands on Aruba SD-WAN and gateway devices running vulnerable ArubaOS versions. Attackers can potentially take full control of affected systems without authentication. Organizations using Aruba SD-WAN software or gateways with unpatched ArubaOS are at risk.

💻 Affected Systems

Products:

Aruba SD-WAN Software
Aruba Gateways

Versions: ArubaOS: Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.4, 8.6.0.9, 8.5.0.13, 8.3.0.16, 6.5.4.20, 6.4.4.25

Operating Systems: ArubaOS

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running affected ArubaOS versions are vulnerable by default configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of SD-WAN infrastructure allowing attackers to intercept/modify network traffic, pivot to internal networks, deploy ransomware, or establish persistent backdoors.

🟠

Likely Case

Unauthorized access to network devices leading to configuration changes, data exfiltration, or disruption of network services.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for isolated device compromise.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing devices primary targets.

🏢 Internal Only: MEDIUM - Internal devices still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Remote command execution without authentication suggests relatively straightforward exploitation once details are known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.6.0.4-2.2.0.4 or later; 8.7.1.4, 8.6.0.9, 8.5.0.13, 8.3.0.16, 6.5.4.20, 6.4.4.25 or later

Vendor Advisory: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt

Restart Required: Yes

Instructions:

1. Download appropriate patch from Aruba support portal. 2. Backup device configuration. 3. Apply patch following Aruba's upgrade procedures. 4. Reboot device. 5. Verify patch installation and functionality.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to management interfaces using firewall rules or ACLs

# Example ACL to restrict management access
access-list 100 deny ip any any

Management Interface Isolation

all

Place management interfaces on separate VLAN with strict access controls

# Configure management VLAN
vlan 999
 name MANAGEMENT
interface vlan 999
 ip address 10.0.0.1 255.255.255.0

🧯 If You Can't Patch

Immediately isolate affected devices from internet and restrict internal access
Implement strict network monitoring and alerting for suspicious activity on these devices

🔍 How to Verify

Check if Vulnerable:

Check ArubaOS version via CLI: show version

Check Version:

show version

Verify Fix Applied:

Verify version is patched: show version and confirm version matches patched releases

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Unauthorized configuration changes
Unexpected system reboots or service restarts

Network Indicators:

Unusual outbound connections from SD-WAN devices
Anomalous traffic patterns through gateways
Unexpected management interface access attempts

SIEM Query:

source="aruba_device" AND (event_type="command_execution" OR event_type="config_change") AND user="unknown"

📊 Metadata

CVE ID: CVE-2021-37720

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: September 7, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-280624.pdf Mitigation,Third Party Advisory
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-280624.pdf Mitigation,Third Party Advisory
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37720, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Arubaos by Arubanetworks

Arubaos by Arubanetworks

Arubaos by Arubanetworks

Arubaos by Arubanetworks

Arubaos by Arubanetworks

Arubaos by Arubanetworks

Scalance W1750d Firmware by Siemens

Sd Wan by Arubanetworks

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Access Control

Management Interface Isolation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities