HPE Aruba Networking has issued its April 2024 security advisory detailing vital distant code execution (RCE) vulnerabilities impacting a number of variations of ArubaOS, its proprietary community working system.
The advisory lists ten vulnerabilities, 4 of that are critical-severity (CVSS v3.1: 9.8) unauthenticated buffer overflow issues that may result in distant code execution (RCE).
Merchandise impacted by the newly disclosed flaws are:
- HPE Aruba Networking Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.
- ArubaOS 10.5.1.0 and under, 10.4.1.0 and older, 8.11.2.1 and under, and eight.10.0.10 and older.
- All variations of ArubaOS and SD-WAN which have reached EoL. This contains ArubaOS under 10.3, 8.9, 8.8, 8.7, 8.6, 6.5.4, and SD-WAN 2.3.0 by way of 8.7.0.0 and a pair of.2 by way of 8.6.0.4.
The 4 vital distant code execution flaws are:
- CVE-2024-26305 – Flaw in ArubaOS’s Utility daemon permitting an unauthenticated attacker to execute arbitrary code remotely by sending specifically crafted packets to the PAPI (Aruba’s entry level administration protocol) UDP port (8211).
- CVE-2024-26304 – Flaw within the L2/L3 Administration service, allowing unauthenticated distant code execution by way of crafted packets despatched to the PAPI UDP port.
- CVE-2024-33511 – Vulnerability within the Computerized Reporting service that may be exploited by sending specifically crafted packets to the PAPI protocol port to permit unauthenticated attackers to execute arbitrary code remotely.
- CVE-2024-33512 – Flaw permitting unauthenticated distant attackers to execute code by exploiting a buffer overflow within the Native Consumer Authentication Database service accessed through the PAPI protocol.
To mitigate the failings the seller recommends enabling Enhanced PAPI Safety and upgrading to patched variations for ArubaOS.
The most recent variations additionally handle one other six vulnerabilities, all rated “medium” in severity (CVSS v3.1: 5.3 – 5.9) which might enable unauthenticated attackers to create denial of service on weak units and trigger expensive operational disruptions.
The goal improve variations that handle all ten flaws are:
- ArubaOS 10.6.0.0 and above
- ArubaOS 10.5.1.1 and above
- ArubaOS 10.4.1.1 and above
- ArubaOS 8.11.2.2 and above
- ArubaOS 8.10.0.11 and above
Right now, HPE Aruba Networking will not be conscious of any circumstances of energetic exploitation or the existence of proof-of-concept (PoC) exploits for the talked about vulnerabilities.
Nonetheless, system directors are really useful to use the out there security updates as quickly as doable.
