HPE Aruba: Access points vulnerable to code smuggling from the network
Hewlett Packard Enterprise (HPE) warns of critical security vulnerabilities in Aruba access points. Attackers can infiltrate malicious code from the network.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
There are security gaps in the operating system of HPE's Aruba Networking Access Points that allow attackers to smuggle in commands from the network without prior login. The manufacturer has released updates that close the gaps.
In the security announcement, HPE Aruba explains that due to command injection vulnerabilities in the underlying command line service (CLI service), unauthenticated attackers can execute malicious code from the network. To do this, they must send carefully crafted network packets to the UDP port of the PAPI service, Aruba's access point management protocol. After a successful attack, attackers can execute arbitrary code as a privileged user in the underlying operating system and thus take full control (CVE-2024-42505, CVE-2024-42506, CVE-2024-42507; all CVSS 9.8, risk"critical").
Temporary countermeasures
Activating "cluster-security" using the cluster-security command prevents the vulnerabilities from being exploited on devices running Instant AOS-8.x. This is not an option for devices running AOS-10; blocking access to UDB port 8211 from untrusted networks can be used as a temporary workaround.
The list of affected devices is somewhat longer. Basically, all Aruba access points with AOS-8 and AOS-10 are vulnerable. The software versions AOS 10.6.0.2 and 10.4.1.3 and Instant AOS8.12.0.1 and 8.10.0.13 and lower are vulnerable. Updates are available for this. However, quite a few versions are affected that have already reached end-of-life: AOS 10.5.x.x and 10.3.x.x as well as Instant AOS 8.11.x.x, 10.3.x.x, 8.11.x.x, 8.9.x.x, 8.8.x.x, 8.7.x.x, 8.6.x.x, 8.5.x.x, 8.4.x.x, 6.5.x.x and 6.4.x.x. HPE Aruba recommends updating to a supported version as soon as possible.
The corrected software versions are AOS 10.7.0.0, 10.6.0.3, 10.4.1.4 and Instant AOS 8.12.0.2 and 8.10.0.14 as well as newer versions. These are available for download on the HPE Aruba support website.
The authors of the security advisory do not discuss how successful attacks can be detected. At the time of the advisory, HPE Aruba had no knowledge that the vulnerabilities had already been abused or that exploits for them had been publicly discussed.
A week ago, HPE Aruba patched vulnerabilities in the ArubaOS network operating system that compromised the security of network controllers and gateways. The vulnerabilities allowed attackers to execute malicious code on vulnerable devices.
(dmk)