The Information Highway

The Information Highway

Font size: +
2 minutes reading time (380 words)
Featured

HPE warns of critical RCE flaws in Aruba Networking access points

Hewlett Packard Enterprise (HPE) released updates for Instant AOS-8 and AOS-10 software to address two critical vulnerabilities in Aruba Networking Access Points.. 

The two security issues could allow a remote attacker to perform unauthenticated command injection by sending specially crafted packets to Aruba's Access Point management protocol (PAPI) over UDP port 8211.

The critical flaws are tracked as CVE-2024-42509 and CVE-2024-47460, and have been assessed with a severity score of 9.8 and 9.0, respectively. Both are in the command line interface (CLI) service, which is accessed via the PAPI protocol. 

The update also fixes another four security vulnerabilities:

  • CVE-2024-47461 (7.2 severity score): authenticated remote command execution that could allow an attacker to execute arbitrary commands on the underlying operating system
  • CVE-2024-47462 and CVE-2024-47463 (7.2 severity score): an authenticated attacker could create arbitrary files, potentially leading to remote command execution
  • CVE-2024-47464 (6.8 severity score): an authenticated attacker exploiting it could access unauthorized files via path traversal

All six vulnerabilities impact AOS-10.4.x.x: 10.4.1.4 and older releases, Instant AOS-8.12.x.x: 8.12.0.2 and below, and Instant AOS-8.10.x.x: 8.10.0.13 and older versions.

HPE notes in the security advisory that several more versions of the software that have reached their End of Maintenance dates are also impacted by these flaws there will be no security updates for them.

Fixes and workarounds

To address vulnerabilities in Aruba Networking Access Points, HPE recommends users to update their devices to the following software versions or newer:

  • AOS-10.7.x.x: Update to version 10.7.0.0 and later.
  • AOS-10.4.x.x: Update to version 10.4.1.5 or later.
  • Instant AOS-8.12.x.x: Update to version 8.12.0.3 or newer.
  • Instant AOS-8.10.x.x: Update to version 8.10.0.14 or above

HPE has also provided workarounds for all six flaws to help in cases where software updates cannot be immediately installed:

For the two critical flaws, the proposed workaround is to restrict/block access to the UDP port 8211 from all untrusted networks.

For the rest of the issues, the vendor recommends restricting access to the CLI and web-based management interfaces by placing them on a dedicated layer 2 segment or VLAN, and to control access with firewall policies at layer 3 and above, which would limit potential exposure.

No active exploitation of the flaws has been observed but applying the security updates and/or mitigations comes as a strong recommendation.

Malicious PyPI Package 'Fabrice' Found Stealing AW...
Google Cloud to Enforce Multi-Factor Authenticatio...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 14 November 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023