Hewlett Packard Enterprise (HPE) has released security updates for Aruba Networking access points, addressing two critical vulnerabilities in AOS-8 and AOS-10 software. These security flaws could allow a remote attacker to execute unauthorized commands by exploiting the PAPI management protocol.
Details of the Vulnerabilities
The critical vulnerabilities, identified as CVE-2024-42509 and CVE-2024-47460, have severity scores of 9.8 and 9.0 out of 10, respectively. Both are located in the Command Line Interface (CLI) service and can be exploited by sending malicious packets to UDP port 8211, used by the PAPI protocol. These vulnerabilities expose devices to command injection attacks, enabling attackers to manipulate the access point management system without authentication.
Additional Vulnerabilities Resolved
In addition to the critical flaws, the update addresses four other vulnerabilities:
- CVE-2024-47461: With a severity of 7.2, this flaw allows authenticated remote command execution, giving attackers the ability to execute commands on the operating system.
- CVE-2024-47462 and CVE-2024-47463: Both scored 7.2, these vulnerabilities enable authenticated attackers to create arbitrary files, potentially leading to remote code execution.
- CVE-2024-47464: Rated at 6.8 severity, this vulnerability allows authenticated attackers to access unauthorized files using path traversal techniques.
These six vulnerabilities affect the following software versions:
- AOS-10.4.x.x (up to version 10.4.1.4 and earlier)
- Instant AOS-8.12.x.x (up to version 8.12.0.2 and earlier)
- Instant AOS-8.10.x.x (up to version 8.10.0.13 and earlier)
Recommendations and Solutions
To mitigate these security risks, HPE has released updates and patches that should be applied immediately. The recommended secure versions are:
- AOS-10.7.x.x: Update to version 10.7.0.0 or higher.
- AOS-10.4.x.x: Update to version 10.4.1.5 or later.
- Instant AOS-8.12.x.x: Update to version 8.12.0.3 or higher.
- Instant AOS-8.10.x.x: Update to version 8.10.0.14 or later.
For devices that cannot be updated immediately, HPE has provided temporary mitigation measures:
- For the two critical vulnerabilities (CVE-2024-42509 and CVE-2024-47460): Restrict or block access to UDP port 8211 from untrusted networks.
- For the other vulnerabilities: Limit access to management interfaces (CLI and web) by segmenting them into a dedicated VLAN or Layer 2 segment, and enforce Layer 3+ firewall policies to reduce exposure.
Current Exploitation Status
No active exploitation of these vulnerabilities has been detected so far. However, HPE emphasizes the importance of applying security updates or implementing mitigation measures as a precaution.
Conclusion
Applying security patches promptly is crucial, especially for enterprise environments relying on Aruba Networking access points for daily operations. The reported critical vulnerabilities pose significant security risks, and immediate updates are the best strategy to minimize potential attacks.