Aruba Networking has released security updates to address ten critical and medium severity vulnerabilities in ArubaOS. Four vulnerabilities have been rated critical with a CVSSv3 score of 9.8: CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, and CVE-2024-33512. Successful exploitation of these vulnerabilities may lead to remote code execution.
ArubaOS is a network operating system for Aruba networking equipment, including switches, access points, and gateways. It’s part of the architecture of the Aruba ESP (Edge Services Platform). ArubaOS provides a scalable platform for managing and controlling network infrastructure.
Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol (CVE-2024-26305)
This buffer overflow vulnerability exists in the underlying Utility daemon. An unauthenticated attacker may exploit the vulnerability by sending specially crafted packets destined for the PAPI (Aruba’s access point management protocol) UDP port (8211). Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code as a privileged user on the underlying operating system.
Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol (CVE-2024-26304)
This buffer overflow vulnerability exists in the underlying L2/L3 Management service. An unauthenticated may exploit the vulnerability by sending specially crafted packets destined to the PAPI (Aruba’s access point management protocol) UDP port (8211). Successful exploitation of this vulnerability may allow an attacker to perform remote code execution as a privileged user on the underlying operating system.
Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol (CVE-2024-33511)
This buffer overflow vulnerability exists in the underlying Automatic Reporting service. An unauthenticated attacker may exploit the vulnerability by sending specially crafted packets destined to the PAPI (Aruba’s access point management protocol) UDP port (8211). On successful exploitation, an attacker may perform remote code execution as a privileged user on the underlying operating system.
Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol (CVE-2024-33512)
This buffer overflow vulnerability in the underlying Local User Authentication Database service. An unauthenticated attacker may exploit the vulnerability by sending specially crafted packets destined to the PAPI (Aruba’s access point management protocol) UDP port (8211). Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code as a privileged user on the underlying operating system.
Affected Products and Versions
HPE Aruba Networking:
- Mobility Conductor (formerly Mobility Master)
- Mobility Controllers
- Aruba Central manages WLAN Gateways and SD-WAN Gateways
Affected Software versions:
- ArubaOS 10.5.x.x: 10.5.1.0 and below
- ArubaOS 10.4.x.x: 10.4.1.0 and below
- ArubaOS 8.11.x.x: 8.11.2.1 and below
- ArubaOS 8.10.x.x: 8.10.0.10 and below
The following ArubaOS and SD-WAN software versions that are End of Maintenance are affected by these vulnerabilities and are not patched in the updates:
- ArubaOS 10.3.x.x
- ArubaOS 8.9.x.x
- ArubaOS 8.8.x.x
- ArubaOS 8.7.x.x
- ArubaOS 8.6.x.x
- ArubaOS 6.5.4.x
- SD-WAN 8.7.0.0-2.3.0.x
- SD-WAN 8.6.0.4-2.2.x.x
Mitigation
Customers must upgrade to the following patched versions to address the vulnerabilities:
- ArubaOS 10.6.x.x: 10.6.0.0 and above
- ArubaOS 10.5.x.x: 10.5.1.1 and above
- ArubaOS 10.4.x.x: 10.4.1.1 and above
- ArubaOS 8.11.x.x: 8.11.2.2 and above
- ArubaOS 8.10.x.x: 8.10.0.11 and above
Please refer to the Aruba Security Advisory (ARUBA-PSA-2024-004) for more information.
Workaround
For ArubaOS 8.x:
Enabling the Enhanced PAPI Security feature using a non-default key will prevent the exploitation of this vulnerability.
Qualys Detection
Qualys customers can scan their devices with QID 44209 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt