HPE Aruba Networking (previously Aruba Networks) has launched security updates to deal with crucial flaws impacting ArubaOS that might end in distant code execution (RCE) on affected techniques.
Of the ten security defects, 4 are rated crucial in severity –
- CVE-2024-26304 (CVSS rating: 9.8) – Unauthenticated Buffer Overflow Vulnerability within the L2/L3 Administration Service Accessed by way of the PAPI Protocol
- CVE-2024-26305 (CVSS rating: 9.8) – Unauthenticated Buffer Overflow Vulnerability within the Utility Daemon Accessed by way of the PAPI Protocol
- CVE-2024-33511 (CVSS rating: 9.8) – Unauthenticated Buffer Overflow Vulnerability within the Automated Reporting Service Accessed by way of the PAPI Protocol
- CVE-2024-33512 (CVSS rating: 9.8) – Unauthenticated Buffer Overflow Vulnerability within the Native Person Authentication Database Accessed by way of the PAPI Protocol
A menace actor might exploit the aforementioned buffer overflow bugs by sending specifically crafted packets destined to the Course of Software Programming Interface (PAPI) UDP port (8211), thereby gaining the flexibility to execute arbitrary code as a privileged person on the underlying working system.
The vulnerabilities, which influence Mobility Conductor (previously Mobility Grasp), Mobility Controllers, and WLAN Gateways and SD-WAN Gateways managed by Aruba Central, are current within the following software program variations –
- ArubaOS 10.5.1.0 and beneath
- ArubaOS 10.4.1.0 and beneath
- ArubaOS 8.11.2.1 and beneath, and
- ArubaOS 8.10.0.10 and beneath
Additionally they influence the ArubaOS and SD-WAN software program variations which have reached finish of upkeep standing –
- ArubaOS 10.3.x.x
- ArubaOS 8.9.x.x
- ArubaOS 8.8.x.x
- ArubaOS 8.7.x.x
- ArubaOS 8.6.x.x
- ArubaOS 6.5.4.x
- SD-WAN 8.7.0.0-2.3.0.x, and
- SD-WAN 8.6.0.4-2.2.x.x
A security researcher named Chancen has been credited with discovering and reporting seven of the ten points, together with the 4 crucial buffer overflow vulnerabilities.
Customers are suggested to use the most recent fixes to mitigate potential threats. As non permanent workarounds for ArubaOS 8.x, the corporate is recommending that customers allow the Enhanced PAPI Safety characteristic utilizing a non-default key.
