Aruba access points vulnerable – no updates for older versions
Due to several security vulnerabilities in ArubaOS and InstantOS, malicious code attacks on Aruba devices are possible.
Admins of Aruba access points should ensure that they have installed operating system versions that are still supported. In total, the developers have closed six"critical" security vulnerabilities in versions of ArubaOS and InstantOS that are still supported.
Remote Code Execution
A warning message indicates that a total of 18 security vulnerabilities have been closed. These include several vulnerabilities that allow attackers to push malicious code onto devices and execute it.
Among other things, remote attackers can use crafted UDP packets to target the Central Communication Service (CVE-2024-31471"critical") and thus compromise the system via malicious code.
Further dangers
The remaining vulnerabilities are classified as "high" and "medium". Among other things, unauthorized access to files is conceivable at these points. Aruba states that it has resolved the security issues in the following versions:
- ArubaOS 10.4.1.1
- ArubaOS 10.5.1.1
- ArubaOS 10.6.0.0
- InstantOS 8.6.0.24
- InstantOS 8.10.0.11
- InstantOS 8.11.2.2
- InstantOS 8.12.0.0
All previous versions are vulnerable. Aruba expressly points out that there are no more security updates for versions that are no longer in support (end of life, EOL). This now also includes ArubaOS 10.5.x.x and InstantOS 8.11.x.x. Anyone using access points with these editions must upgrade in order to continue receiving security patches.
It is important that admins have EOL versions on their screens so that a device with insecure software is not still in use somewhere in the network and thus offers an attack surface. Of course, this applies across all manufacturers and not just to Aruba devices.
(des)