Hewlett Packard Enterprise (HPE) launched updates for Instantaneous AOS-8 and AOS-10 software program to deal with two vital vulnerabilities in Aruba Networking Entry Factors.
The 2 security points may permit a distant attacker to carry out unauthenticated command injection by sending specifically crafted packets to Aruba’s Entry Level administration protocol (PAPI) over UDP port 8211.
The vital flaws are tracked as CVE-2024-42509 and CVE-2024-47460, and have been assessed with a severity rating of 9.8 and 9.0, respectively. Each are within the command line interface (CLI) service, which is accessed through the PAPI protocol.
The replace additionally fixes one other 4 security vulnerabilities:
- CVE-2024-47461 (7.2 severity rating): authenticated distant command execution that would permit an attacker to execute arbitrary instructions on the underlying working system
- CVE-2024-47462 and CVE-2024-47463 (7.2 severity rating): an authenticated attacker may create arbitrary recordsdata, probably resulting in distant command execution
- CVE-2024-47464 (6.8 severity rating): an authenticated attacker exploiting it may entry unauthorized recordsdata through path traversal
All six vulnerabilities influence AOS-10.4.x.x: 10.4.1.4 and older releases, Instantaneous AOS-8.12.x.x: 8.12.0.2 and beneath, and Instantaneous AOS-8.10.x.x: 8.10.0.13 and older variations.
HPE notes within the security advisory that a number of extra variations of the software program which have reached their Finish of Upkeep dates are additionally impacted by these flaws there will likely be no security updates for them.
Fixes and workarounds
To handle vulnerabilities in Aruba Networking Entry Factors, HPE recommends customers to replace their gadgets to the next software program variations or newer:
- AOS-10.7.x.x: Replace to model 10.7.0.0 and later.
- AOS-10.4.x.x: Replace to model 10.4.1.5 or later.
- Instantaneous AOS-8.12.x.x: Replace to model 8.12.0.3 or newer.
- Instantaneous AOS-8.10.x.x: Replace to model 8.10.0.14 or above
HPE has additionally offered workarounds for all six flaws to assist in instances the place software program updates can’t be instantly put in:
For the 2 vital flaws, the proposed workaround is to limit/block entry to the UDP port 8211 from all untrusted networks.
For the remainder of the problems, the seller recommends proscribing entry to the CLI and web-based administration interfaces by inserting them on a devoted layer 2 phase or VLAN, and to regulate entry with firewall insurance policies at layer 3 and above, which might restrict potential publicity.
No energetic exploitation of the failings has been noticed, however making use of the security updates and/or mitigations comes as a robust advice.
