Summary: HPE has issued urgent patches for three critical vulnerabilities in Aruba access points running AOS-8 and AOS-10, which could allow unauthenticated attackers to execute code remotely. The vulnerabilities, rated 9.8 on the CVSS scale, affect specific versions of the operating system and require immediate attention from system administrators.
Threat Actor: Unauthenticated attackers | unauthenticated attackers
Victim: HPE Aruba Networks | HPE Aruba Networks
Key Point :
- Three critical vulnerabilities (CVE-2024-42505, CVE-2024-42506, CVE-2024-42507) allow remote code execution via UDP port 8211.
- Affected versions include AOS 10.6.x.x and Instant AOS 8.12.x.x, with recommendations to upgrade from end-of-life code.
- Cluster-security can prevent exploitation in Instant AOS-8.x, while AOS-10 requires blocking access to UDP port 8211 from untrusted networks.
- The vulnerabilities were discovered by Erik de Jong and reported through Bugcrowd, with no current evidence of exploitation in the wild.
Aruba access points running AOS-8 and AOS-10 need to be patched urgently after HPE emitted fixes for three critical flaws in its networking subsidiary’s networking access points.
The issues would allow an unauthenticated attacker to run code on Aruba’s systems by sending carefully crafted packets to UDP port 8211, the operating system’s Proprietary Access Protocol Interface (PAPI), which would provide that miscreant privileged access to the equipment.
The three vulnerabilities – CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507 – are all rated 9.8 out of 10 on the CVSS severity scale.
The flaws affect versions of AOS 10.6.x.x (up to and including 10.6.0.2), as well as Instant AOS 8.12.x.x (8.12.0.1 and earlier versions). HPE is also warning that end-of-life code, including AOS 10.5 and 10.3, and Instant AOS-8.11 – as well as earlier incarnations – and the advice is to upgrade these systems to get protection.
“Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in devices running Instant AOS-8.x code,” HPE advised in its security alert. “For AOS-10 devices this is not an option and instead access to UDP port 8211 must be blocked from all untrusted networks.”
It’s not the first time PAPI has been shown to have serious problems this year. Back in May, four critical flaws in the system were fixed by Aruba after proof of concept exploit code was released, and then issued more patches less than a week later.
These patches will be of particular concern to sysadmins within the US military. Back in 2020, Aruba scored a major win by becoming the preferred supplier to the Pentagon after the military fell out with Cisco and started replacing its kit.
HPE credited the flaws’ discovery to Erik de Jong, a part-time flaw finder whose day job is as a security officer for the Netherlands telco DELTA Fiber. The vulnerabilities were submitted via Bugcrowd, and he has credited his hobby to paying a chunk off his mortgage.
At the time of publication, HPE said that it had seen no evidence that the issues are being exploited in the wild. However, now that patches are out, and given their seriousness, that’s likely to change. ®
Source: https://www.theregister.com/2024/09/26/hpe_aruba_patch_papi