HPE Aruba Networking has fastened three important vulnerabilities within the Command Line Interface (CLI) service of its Aruba Entry Factors, which may let unauthenticated attackers acquire distant code execution on susceptible units.
The vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) may be exploited by sending specifically crafted packets to the PAPI (Aruba’s Entry Level administration protocol) UDP port (8211) to get privileged entry to execute arbitrary code on susceptible units.
The Hewlett Packard Enterprise (HPE) subsidiary (previously referred to as Aruba Networks) confirmed in a security advisory launched earlier this week that the security flaws influence Aruba Entry Factors working On the spot AOS-8 and AOS-10.
The vulnerabilities had been reported by security researcher Erik De Jong by way of the corporate’s bug bounty program, and impacted software program variations embody:
- AOS-10.6.x.x: 10.6.0.2 and under
- AOS-10.4.x.x: 10.4.1.3 and under
- On the spot AOS-8.12.x.x: 8.12.0.1 and under
- On the spot AOS-8.10.x.x: 8.10.0.13 and under
The corporate urged directors to put in the newest security updates (obtainable from the HPE Networking Assist Portal) on susceptible entry factors to forestall potential assaults.
Workaround obtainable, no lively exploitation
As a brief workaround for units working On the spot AOS-8.x code, admins can allow “cluster-security” to dam exploitation makes an attempt. For AOS-10 units, the corporate advises blocking entry to port UDP/8211 from all untrusted networks.
HPE Aruba Networking additionally confirmed that different Aruba merchandise, together with Networking Mobility Conductors, Mobility Controllers, and SD-WAN Gateways, aren’t impacted.
In keeping with the HPE Product Safety Response Staff, no public exploit code is out there, and there have been no experiences of assaults concentrating on the three important vulnerabilities.
Earlier this yr, the corporate additionally patched 4 important RCE vulnerabilities impacting a number of variations of ArubaOS, its proprietary community working system.
In February, Hewlett Packard Enterprise (HPE) stated it was investigating a possible breach after a menace actor posted credentials and different delicate data (allegedly stolen from HPE) on the market on a hacking discussion board.
Two weeks earlier, it reported that its Microsoft Workplace 365 electronic mail atmosphere was breached in Could 2023 by hackers believed to be a part of the APT29 menace group linked to Russia’s International Intelligence Service (SVR).
