HPE Patches Critical Vulnerabilities in Aruba Access Points

3 weeks ago 4
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

HPE this week announced patches for multiple vulnerabilities in its Aruba Networking access points, including two critical-severity command injection bugs.

The critical security defects, tracked as CVE-2024-42509 (CVSS score of 9.8) and CVE-2024-47460 (CVSS score of 9.0), impact Aruba’s access point management protocol’s underlying CLI service.

A remote, unauthenticated attacker can exploit the flaws by sending crafted packets to the protocol’s UDP port (8211), which could lead to arbitrary code execution as a privileged user on the underlying operating system.

The issues, HPE says, affect Access Points running the Instant AOS-8 and AOS-10 software versions, including Instant AOS-6.x and Instant AOS-8.x iterations and AOS- 10.x versions that reached end-of-life (EoL) status.

“Enabling cluster security via the cluster-security command will prevent this vulnerability from being exploited in devices running Instant AOS-8 code. For AOS-10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks,” HPE notes in its advisory.

This week, the company also warned of three high-severity remote code execution (RCE) vulnerabilities affecting the Instant AOS-8 and AOS-10 command line interface, tracked as CVE-2024-47461, CVE-2024-47462, and CVE-2024-47463.

CVE-2024-47461 could allow an authenticated attacker to execute arbitrary commands as a privileged user and fully compromise the underlying host operating system.

CVE-2024-47462 and CVE-2024-47463 “could allow an authenticated remote attacker to create arbitrary files, which could lead to a remote command execution (RCE) on the underlying operating system,” HPE explains.

Advertisement. Scroll to continue reading.

Restricting the CLI and web-based management interfaces to a dedicated layer 2 segment/VLAN and/or controlling them through firewall policies should mitigate the likelihood of these vulnerabilities being exploited, HPE says.

Instant AOS-8 and AOS-10, HPE warned, are also affected by a high-severity authenticated path traversal bug that could allow an attacker to copy arbitrary files and read their contents.

Patches for all six vulnerabilities were included in AOS-10.7.0.0 and AOS-10.4.1.5 and in Instant AOS-8.12.0.3 and Instant AOS-8.10.0.14.

HPE says all bugs were reported through Aruba Networking’s bug bounty program and makes no mention of any of them being exploited in the wild.

Related: Atlassian Patches Vulnerabilities in Bitbucket, Confluence, Jira

Related: Palo Alto Networks, Aruba Patch Severe Vulnerabilities

Related: HPE Patches Two Critical, Remotely Exploitable Vulnerabilities

Related: HPE Acquires Identity Management Firm Scytale

Read Entire Article