HPE Aruba Networking Releases Security Updates for Instant AOS-8 and AOS-10 in Access Points

Three critical vulnerabilities could lead to arbitrary code execution in multiple series of Aruba Access Points

Threat ID:: CC-4553
Threat Severity:: Medium
Published:: 26 September 2024 4:40 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Three critical vulnerabilities could lead to arbitrary code execution in multiple series of Aruba Access Points

Affected platforms

The following platforms are known to be affected:

Versions: 10.6.0.2 and earlier, 10.4.1.3 and earlier, 8.12.0.1 and earlier, 8.10.0.13 and earlier

ArubaOS

ArubaOS is used on the following HPE Aruba Access Points:

Aruba 100 Series
Aruba 103 Series
Aruba 110 Series
Aruba 120 Series
Aruba 130 Series
Aruba 200 Series
Aruba 207 Series
Aruba 210 Series
Aruba 220 Series
Aruba 260 Series
Aruba 300 Series
Aruba 303 Series
Aruba 310 Series
Aruba 320 Series
Aruba 330 Series
Aruba 340 Series
Aruba 370 Series
Aruba 500 Series
Aruba 510 Series
Aruba 530 Series
Aruba 550 Series
Aruba 630 Series
Aruba 650 Series

Threat details

End of maintenance ArubaOS software versions are also affected

The following software versions that are End of Support Life (EoSL) are affected by these vulnerabilities and are not addressed by this advisory:

AOS-10.5.x.x: all
AOS-10.3.x.x: all
Instant AOS-8.11.x.x: all
Instant AOS-8.9.x.x: all
Instant AOS-8.8.x.x: all
Instant AOS-8.7.x.x: all
Instant AOS-8.6.x.x: all
Instant AOS-8.5.x.x: all
Instant AOS-8.4.x.x: all
Instant AOS-6.5.x.x: all
Instant AOS-6.4.x.x: all

HPE Aruba Networking strongly recommends all customers running End of Support Life (EoSL) software to upgrade to a supported version as soon as possible.

Introduction

Hewlett Packard Enterprise (HPE) Aruba Networking has issued an advisory that addresses 3 vulnerabilities that affect Aruba Access Points (APs) product lines that use Instant AOS (ArubaOS). AOS is a distributed network operating system working with Aruba Central that controls APs and optional gateways.

Three critical command injection vulnerabilities that have CVSSv3 scores of 9.8 could be exploited by an unauthenticated, remote attacker via a specially crafted packet to achieve remote code execution (RCE). Successful exploitation could lead to the ability to execute arbitrary code as a privileged user on the underlying operating system.

Access Points are popular targets for attackers

Some access points and gateways are internet-facing by design and present an attractive target to facilitate initial access to an organisation's network, with exploitation by cyber threat groups often reported soon after official disclosure. The NHS England National CSOC assesses exploitation as highly likely, should a proof-of-concept (PoC) exploit be publicly released.

Remediation advice

Affected organisations are encouraged to review the HPE Security Advisory HPESBNW04712 rev.1 - HPE Aruba Networking Access Points Multiple Vulnerabilities and apply any relevant updates or workarounds.

Definitive source of threat updates

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04712en_us&docLocale=en_US

CVE Vulnerabilities

Status Published

CVE-2024-42505

Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

Status Published

CVE-2024-42506

Status Published

CVE-2024-42507

Last edited: 26 September 2024 4:40 pm