Hewlett Packard Enterprise (HPE) has released security updates to address multiple vulnerabilities affecting Aruba Networking Access Point products, including two critical bugs that could lead to unauthenticated command execution.
The vulnerabilities affect access points running Instant AOS-8 and AOS-10 –
- AOS-10.4.xx: 10.4.1.4 and below
- Instant AOS-8.12.xx: 8.12.0.2 and below
- Instant AOS-8.10.xx: 8.10.0.13 and below
The most serious of the six recently patched vulnerabilities are CVE-2024-42509 (CVSS score: 9.8) and CVE-2024-47460 (CVSS score: 9.0), two critical flaws in the unauthenticated command injection into the service CLI, which can lead to arbitrary code execution.
“Command injection vulnerability in the main service CLI could allow remote, unauthenticated code execution by sending specially crafted packets directed to PAPI (Aruba Access Point Management Protocol) UDP port (8211)” HPE said in the recommendation for both deficiencies.
“Successful exploitation of this vulnerability could lead to the execution of arbitrary code as a privileged user on the host operating system.”
It is recommended that you enable cluster security using the cluster-security command to mitigate CVE-2024-42509 and CVE-2024-47460 on devices running Instant AOS-8 code. However, for AOS-10 devices, the company recommends blocking access to UDP port 8211 from all untrusted networks.
HPE has also addressed four other vulnerabilities –
- CVE-2024-47461 (CVSS Score: 7.2) – Authenticated Arbitrary Remote Command Execution (RCE) in Instant AOS-8 and AOS-10
- CVE-2024-47462 and CVE-2024-47463 (CVSS Score: 7.2) – Arbitrary file creation vulnerability in Instant AOS-8 and AOS-10 that could lead to authenticated remote command execution
- CVE-2024-47464 (CVSS Score: 6.8) – Authenticated path traversal vulnerability could lead to remote unauthorized file access
As a workaround, users are encouraged to restrict access to the CLI and web management interfaces by placing them in a dedicated VLAN and controlling them with firewall policies at layer 3 and higher.
“Although Aruba Network access points have not previously been used in the wild, they are an attractive target for threat actors due to the potential access these vulnerabilities could provide via a privileged RCE user” – Arctic Wolf . said. “Additionally, in the near future, threat actors may attempt to engineer patches to exploit unpatched systems.”