Security update: Gaps in Aruba OS jeopardize network gateways
Attackers can attack HPE Aruba network devices and, in the worst case, compromise appliances.
(Image: Alfa Photo/Shutterstock.com)
Several security vulnerabilities in the network operating system ArubaOS (AOS) endanger network controllers and gateways. Malicious code can be executed.
The vulnerabilities
HPE Aruba points this out in a warning message. Mobility Conductor (formerly Mobility Master), Mobility Controllers, SD-WAN and WLAN gateways with AOS versions up to and including 8.10.0.13, 8.12.0.1 and 10.6.0.2 are affected. AOS 10.4.x.x should not be at risk. The warning message also lists other versions for which support has expired. These versions will no longer receive security updates and remain vulnerable. At this point, admins must upgrade.
According to the developers, they have closed a total of three security vulnerabilities (CVE-2024-42501, CVE-2024-42502, CVE-2024-42503) with a threat level of"high". In all cases, attackers can execute their own commands or even malicious code in AOS. In such cases, it can be assumed that attackers gain full control over appliances.
Securing network devices
HPE Aruba assures that it has closed the gaps in AOS versions 8.10.0.14, 8.12.0.2, 10.6.0.3 and 10.7.0.0. The network supplier is not currently specifying whether attacks are already underway. It also remains unclear how admins can detect systems that have already been attacked.
In order to protect network controllers more effectively against attacks in general, admins should restrict access to the management interface and make it inaccessible from the outside. Firewall rules can help here. If access via the internet is essential, an encrypted VPN connection with strong passwords and multi-factor authentication should be used.
(des)
