Summary: HPE Aruba Networking has issued a security advisory regarding critical vulnerabilities in Access Points running Instant AOS-8 and AOS-10, which could lead to remote code execution and system compromise. The advisory emphasizes the urgency of applying patches and implementing security measures to mitigate these risks.
Threat Actor: Unknown | unknown
Victim: HPE Aruba Networking | HPE Aruba Networking
Key Point :
- Critical vulnerabilities CVE-2024-42509 and CVE-2024-47460 allow for remote code execution via the PAPI protocol.
- HPE Aruba recommends immediate patch application and blocking access to UDP port 8211 from untrusted networks.
- Additional vulnerabilities include authenticated command injection and file creation issues, necessitating restricted access to management interfaces.
- Medium-severity vulnerability CVE-2024-47464 allows for file access through path traversal, risking sensitive data exposure.
- Workarounds include enabling cluster security and implementing network segmentation for affected devices.
HPE Aruba Networking has issued a security advisory warning of multiple critical vulnerabilities affecting Access Points running Instant AOS-8 and AOS-10. The company has released patches addressing these vulnerabilities, which, if exploited, could lead to remote code execution (RCE), unauthorized access, and even full system compromise.
The most severe of these issues, tracked as CVE-2024-42509, is an unauthenticated command injection vulnerability with a CVSS score of 9.8. Exploitation of this flaw allows attackers to remotely execute arbitrary code by sending specially crafted packets to the PAPI protocol’s UDP port (8211), commonly used by Aruba’s Access Point management services. As HPE Aruba’s advisory describes, “successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.”
Another critical vulnerability, CVE-2024-47460, discovered by Erik De Jong, also affects the PAPI protocol and has a slightly lower CVSS score of 9.0 due to its complexity. Both vulnerabilities pose severe risks and require immediate attention. For devices running AOS-10, HPE Aruba recommends blocking access to UDP port 8211 from untrusted networks, as enabling cluster security is not an option on this version.
Apart from the unauthenticated vulnerabilities, the advisory highlights several authenticated RCE and file creation issues in both AOS-8 and AOS-10. These include:
- CVE-2024-47461: An authenticated command injection vulnerability allowing attackers with CLI access to execute privileged commands, scoring 7.2 on the CVSS scale.
- CVE-2024-47462 and CVE-2024-47463: Arbitrary file creation vulnerabilities, which could allow attackers to execute commands remotely by creating specific files within the system. According to the advisory, “successful exploitation… could lead to a remote command execution (RCE) on the underlying operating system.”
To mitigate these risks, HPE Aruba recommends restricting the CLI and web-based management interfaces to a dedicated VLAN or applying firewall policies at Layer 3 and above.
The advisory also addresses a medium-severity vulnerability, CVE-2024-47464, which enables attackers to access files on the system through a path traversal technique. This vulnerability allows an attacker to “copy arbitrary files to a user readable location,” which could expose sensitive information.
HPE Aruba strongly urges users to apply the latest software patches. Affected versions include AOS-10.4.1.4 and below, and AOS-8.12.0.2 and below. For products where patches are not available, such as end-of-maintenance versions like AOS-10.6.x.x and AOS-8.5.x.x, Aruba suggests disabling access to vulnerable services or employing strict network segmentation.
For users unable to update immediately, HPE Aruba provides several workarounds:
- Enable Cluster Security: This setting can prevent unauthorized access on AOS-8 devices.
- Network Segmentation: Restricting access to management interfaces can limit exposure to these vulnerabilities.