HPE Aruba plugs code-smuggling loopholes in access points
Firmware updates for HPE Aruba access points patch several critical vulnerabilities that allow attackers to inject malicious code.
(Image: Bild erstellt mit KI in Bing Image Creator durch heise online / dmk)
HPE Aruba warns of critical security vulnerabilities affecting access points. Attackers from the network can infiltrate and execute arbitrary code without prior authentication. Updated software is intended to rectify the vulnerabilities. IT managers should install them quickly.
In the security announcement, the HPE Aruba developers write that the updates patch a total of six security vulnerabilities. The severity of two is critical, three are classified by the developers as high risk and one is still considered a medium risk.
Critical vulnerabilities in HPE Aruba access points
By sending carefully crafted network packets, attackers can abuse a vulnerability in the PAPI protocol to smuggle commands to the underlying Command Line Interface (CLI) service. This leads to the execution of arbitrary code with the rights of a privileged user in the operating system (CVE-2024-42509, CVSS 9.8, risk"critical"). Another vulnerability has an identical description (CVE-2024-47460, CVSS 9.0, critical).
Videos by heise
Logged-in users in the Instant AOS 8 and AOS 10 operating systems can also send commands to the CLI service. This also leads to the execution of injected code and can lead to the complete compromise of the operating system (CVE-2024-47461, CVSS 7.2, high). In addition, authenticated users can create arbitrary files in Instant AOS-8 and AOS-10. This allows attackers to execute arbitrary code (CVE-2024-47462, CVE-2024-47463, CVSS 7.2, high). Unauthorized file access is possible due to a path traversal vulnerability, which allows logged-in users to copy arbitrary files in Instant AOS-8 and AOS-10 (CVE-2024-47464, CVSS 6.8, medium).
The security advisory also lists temporary countermeasures that can prevent abuse of the vulnerabilities until they can be updated. It also lists all affected device series. Updates are available for the vulnerable firmware versions: For AOS-10.7.x.x, 10.7.0.0 corrects the flaws; for AOS-10.4.x.x, 10.4.1.5 and newer is available in each case. Instant AOS-8 8.12.x.x is secured from 8.12.0.3, while Instant AOS-8 8.10.x.x is secured from 8.10.0.14. The updates can be downloaded from the HPE Networking Software Portal.
HPE Aruba already had to close several security gaps in the access point firmwares around a month ago. These also allowed attackers from the network to infiltrate and execute malicious code.
(dmk)
