HPE Aruba Networking Access Points Vulnerable To Remote Code Execution

A critical security advisory has been issued by HPE Aruba Networking, warning of multiple vulnerabilities in their Access Points running Instant AOS-8 and AOS-10 software.

These vulnerabilities, identified as CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507, could allow unauthenticated remote code execution, posing a significant threat to network security.

Affected Products And Software Versions

The affected products include various models of Aruba Access Points running specific versions of Instant AOS-8 and AOS-10 software:

  • AOS-10.6.x.x: Versions 10.6.0.2 and below
  • AOS-10.4.x.x: Versions 10.4.1.3 and below
  • Instant AOS-8.12.x.x: Versions 8.12.0.1 and below
  • Instant AOS-8.10.x.x: Versions 8.10.0.13 and below

Additionally, several End of Support Life (EoSL) software versions are affected but will not receive patches due to their EoSL status.

HPE Aruba Networking Mobility Conductors, Mobility Controllers, SD-WAN Gateways, and HPE Networking Instant On products are not affected by these vulnerabilities.

The vulnerabilities are related to unauthenticated command injection in the CLI service accessed by the PAPI protocol. Successful exploitation could lead to arbitrary code execution as a privileged user on the underlying operating system.

The CVSSv3.x overall score for these vulnerabilities is 9.8, indicating a critical severity level.

For devices running Instant AOS-8.x, enabling cluster-security via the cluster-security command can prevent exploitation.

For AOS-10 devices, blocking access to UDP port 8211 from untrusted networks is recommended.To fully address the vulnerabilities, HPE Aruba Networking recommends upgrading the Access Points to the following versions or later:

  • AOS-10.7.x.x: Version 10.7.0.0 and above
  • AOS-10.6.x.x: Version 10.6.0.3 and above
  • AOS-10.4.x.x: Version 10.4.1.4 and above
  • Instant AOS-8.12.x.x: Version 8.12.0.2 and above
  • Instant AOS-8.10.x.x: Version 8.10.0.14 and above

Updated software versions can be downloaded from the HPE Networking Support Portal.

Erik De Jong discovered and reported these vulnerabilities via HPE Aruba Networking’s bug bounty program.

As of the advisory’s release date, there is no known public discussion or exploit code targeting these specific vulnerabilities.

Users are strongly advised to upgrade their affected systems to the recommended versions to mitigate these critical vulnerabilities.

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*