HPE Aruba Networking Releases Critical Security Updates for Instant AOS-8 and AOS-10 in Access Points

Five vulnerabilities could lead to remote code execution and arbitrary command execution in multiple series of Aruba Access Points

Threat ID:: CC-4571
Threat Severity:: Medium
Published:: 7 November 2024 1:26 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Five vulnerabilities could lead to remote code execution and arbitrary command execution in multiple series of Aruba Access Points

Affected platforms

The following platforms are known to be affected:

Aruba Access Points

HPE Aruba Networking - Access Points running the following software versions:

AOS-10.4.x.x: 10.4.1.4 and earlier
Instant AOS-8.12.x.x: 8.12.0.2 and earlier
Instant AOS-8.10.x.x: 8.10.0.13 and earlier

Threat details

End of maintenance ArubaOS software versions are also affected

Software versions that are End of Support Life (EoSL) are also affected by these vulnerabilities and are not addressed by this advisory. HPE Aruba Networking strongly recommends all customers running End of Support Life (EoSL) software to upgrade to a supported version as soon as possible.

Introduction

Hewlett Packard Enterprise (HPE) Aruba Networking has issued an advisory that addresses 5 vulnerabilities that affect Aruba Access Points (APs) product lines that use Instant AOS (ArubaOS) 8 and 10. AOS is a distributed network operating system working with Aruba Central that controls APs and optional gateways.

Two critical command injection vulnerabilities and three high severity vulnerabilities could be exploited by an attacker to achieve remote code execution (RCE). Successful exploitation could lead to the ability to execute arbitrary code as a privileged user on the underlying operating system.

Access Points are popular targets for attackers

Some access points and gateways are internet-facing by design and present an attractive target to facilitate initial access to an organisation's network, with exploitation by attackers often reported soon after official disclosure. The NHS England National CSOC assesses exploitation as highly likely, should a proof-of-concept (PoC) exploit be publicly released.

Remediation advice

Affected organisations are encouraged to review the HPE Security Advisory HPESBNW04722 rev.1 - HPE Aruba Networking Access Points Multiple Vulnerabilities and apply any relevant updates or workarounds.

Definitive source of threat updates

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04722en_us&docLocale=en_US

CVE Vulnerabilities

Status Published

CVE-2024-42509

Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

Status Published

CVE-2024-47460

Status Published

CVE-2024-47461

An authenticated command injection vulnerability exists in the Instant AOS-8 and AOS-10 command line interface. A successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying host operating system.

Status Published

CVE-2024-47462

An arbitrary file creation vulnerability exists in the Instant AOS-8 and AOS-10 command line interface. Successful exploitation of this vulnerability could allow an authenticated remote attacker to create arbitrary files, which could lead to a remote command execution (RCE) on the underlying operating system.

Status Published

CVE-2024-47463

Last edited: 7 November 2024 1:26 pm