HPE Aruba Networking fixes critical flaws impacting Access Points
HPE Aruba Networking has fixed three critical vulnerabilities in the Command Line Interface (CLI) service of its Aruba Access Points, which could let unauthenticated attackers gain remote code execution on vulnerable devices.
The vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) can be exploited by sending specially crafted packets to the PAPI (Aruba’s Access Point management protocol) UDP port (8211) to get privileged access to execute arbitrary code on vulnerable devices.
The Hewlett Packard Enterprise (HPE) subsidiary (formerly known as Aruba Networks) confirmed in a security advisory released earlier this week that the security flaws impact Aruba Access Points running Instant AOS-8 and AOS-10.
The vulnerabilities were reported by security researcher Erik De Jong through the company’s bug bounty program, and impacted software versions include:
- AOS-10.6.x.x: 10.6.0.2 and below
- AOS-10.4.x.x: 10.4.1.3 and below
- Instant AOS-8.12.x.x: 8.12.0.1 and below
- Instant AOS-8.10.x.x: 8.10.0.13 and below
The company urged administrators to install the latest security updates (available from the HPE Networking Support Portal) on vulnerable access points to prevent potential attacks.
Workaround available, no active exploitation
As a temporary workaround for devices running Instant AOS-8.x code, admins can enable "cluster-security" to block exploitation attempts. For AOS-10 devices, the company advises blocking access to port UDP/8211 from all untrusted networks.
HPE Aruba Networking also confirmed that other Aruba products, including Networking Mobility Conductors, Mobility Controllers, and SD-WAN Gateways, are not impacted.
According to the HPE Product Security Response Team, no public exploit code is available, and there have been no reports of attacks targeting the three critical vulnerabilities.
Earlier this year, the company also patched four critical RCE vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.
In February, Hewlett Packard Enterprise (HPE) said it was investigating a potential breach after a threat actor posted credentials and other sensitive information (allegedly stolen from HPE) for sale on a hacking forum.
Two weeks earlier, it reported that its Microsoft Office 365 email environment was breached in May 2023 by hackers believed to be part of the APT29 threat group linked to Russia's Foreign Intelligence Service (SVR).
source: BleepingComputer
Free security scan for your website
Top News:
Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
November 23, 2024Download: CIS Critical Security Controls v8.1
August 8, 2024Hackers now use AppDomain Injection to drop CobaltStrike beacons
August 24, 2024