UDP Ports 8900 & 8211 remain open & poses security risk in customer network environment
Customer Issue: UDP Port 8900 and 8211 remains open possess security risk in Customer Network environment.
Product: All ArubaOS Switches Platform that supports Aruba Central management feature.
Description: Vulnerability security scanner (Nessus tool in the customer case) reports UDP port 8900 and 8211 open in Aruba OS switches after security scan for network and devices
Port 8900 :
This port 8900 is always kept open is a well-known issue on Procurve/Aruba switches and is already being taken care by Engineering/Developer team for fix. The issue is identified and verified in CR (Change Request ID CR246091).
More info on Port 8900 again from the CR ticket.
Central: TCP port 8900 (jmb-cds1) should not be kept open always
Question: what jmb-cds1 is other than a sync socket port. What is it ‘syncing’?
Answer: This is a SYNC_SOCK_PORT which is currently always open for cloud applications connection. It will be opened during switch’s Initial Init.
2. This points to a security vulnerability
3. This port should be opened only when the feature is enabled.
4. If switch is not managed by Aruba Central then Port 8900 should not be reported Open.
Process Application Programming Interface (PAPI - 8211) – Security Vulnerability Scanner reports port open on Aruba OS Switch
AP and controller communicate via PAPI (UDP port 8211).
PAPI is used for config download and control channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller.
This port need to be open to allow communication between Controller and AP’s. Below is document that provides PAPI protocol in more details and how can we mitigate security vulnerabilities pertaining to PAPI messages.
We can disable the PAPI if required, we need to apply firewall rules in controller. Steps for the same can also be found in document attached.
Solution and Fix (Port 8900):
- Issue is fix in CPE Cycle 22 firmware release version 16.08 .0001 for all feature products managed by Aruba Central.
- If any Customer complains on this issue asked customer to upgrade the firmware to 16.08.0001 firmware release.
Solution (Port 8211):
- Yes L4 port 8211 is bound to both v4 and v6 during the switch initialization (papi init) irrespective of whether the PPTN/PUTN is enabled
- UDP port scan relies on the ICMP response code
- Adding ACL would just drop the UDP packet, but not yield a ICMP response. Thus port scan would continue to show up.