HPE Aruba Networking has released a security advisory to address multiple vulnerabilities impacting Aruba Access Points running InstantOS and ArubaOS 10. The security advisory addressed 18 vulnerabilities, out of which eight are rated as critical. All the critical severity vulnerabilities have been given a CVSS score of 9.8.
Aruba access points (APs) are designed to provide fast, secure, and intelligent business connectivity. They can be used in various environments, including campuses, outdoor spaces, and remote work environments.
Unauthenticated Buffer Overflow Vulnerabilities in CLI Service Accessed by the PAPI Protocol (CVE-2024-31466, CVE-2024-31467)
These buffer overflow vulnerabilities exist in the underlying CLI service. An unauthenticated attacker may exploit the vulnerabilities by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities may allow an attacker to execute arbitrary code as a privileged user on the underlying operating system.
Unauthenticated Buffer Overflow Vulnerabilities in Central Communications Service Accessed by the PAPI Protocol (CVE-2024-31468, CVE-2024-31469)
These buffer overflow vulnerabilities exist in the underlying Central Communications service. An unauthenticated attacker may exploit the vulnerabilities by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities may lead to execute arbitrary code as a privileged user on the underlying operating system.
Unauthenticated Buffer Overflow Vulnerability in the Simultaneous Authentication of Equals (SAE) Service Accessed by the PAPI Protocol (CVE-2024-31470)
This buffer overflow vulnerability exists in the underlying SAE (Simultaneous Authentication of Equals) service. An unauthenticated attacker may exploit this vulnerability by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in arbitrary code execution as a privileged user on the underlying operating system.
Unauthenticated Command Injection Vulnerability in Central Communications Service Accessed by the PAPI Protocol (CVE-2024-31471)
This command injection vulnerability exists in the Central Communications service. An unauthenticated attacker may exploit this vulnerability by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in arbitrary code execution as a privileged user on the underlying operating system.
Unauthenticated Command Injection Vulnerabilities in the Soft AP Daemon Service Accessed by the PAPI Protocol (CVE-2024-31472)
This command injection vulnerability exists in the underlying Soft AP Daemon service. An unauthenticated attacker may exploit this vulnerability by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Successful exploitation of the vulnerability may result in arbitrary code execution as a privileged user on the underlying operating system.
Unauthenticated Command Injection Vulnerability in the Deauthentication Service Accessed by the PAPI Protocol (CVE-2024-31473)
This command injection vulnerability exists in the underlying Deauthentication service. An unauthenticated attacker may exploit this vulnerability by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability could result in arbitrary code execution as a privileged user on the underlying operating system.
Affected Versions
- ArubaOS 10.5.x.x: 10.5.1.0 and below
- ArubaOS 10.4.x.x: 10.4.1.0 and below
- InstantOS 8.11.x.x: 8.11.2.1 and below
- InstantOS 8.10.x.x: 8.10.0.10 and below
- InstantOS 8.6.x.x: 8.6.0.23 and below
The following software versions that are End of Maintenance are affected by these vulnerabilities and are not addressed by this advisory:
- ArubaOS 10.3.x.x: all
- InstantOS 8.9.x.x: all
- InstantOS 8.8.x.x: all
- InstantOS 8.7.x.x: all
- InstantOS 8.5.x.x: all
- InstantOS 8.4.x.x: all
- InstantOS 6.5.x.x: all
- InstantOS 6.4.x.x: all
Mitigation
Aruba has released patches to address the vulnerabilities. Please refer to the Aruba Security Advisory (ARUBA-PSA-2024-006) for more information.
Workaround
For CVE-2024-31466, CVE-2024-31467, CVE-2024-31479, CVE-2024-31480, and CVE-2024-31481:
Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices, access to port UDP/8211 must be blocked from all untrusted networks.
For CVE-2024-31470, CVE-2024-31471, CVE-2024-31473:
Enabling cluster-security via the cluster-security command will prevent the vulnerability from being exploited in InstantOS devices running 8.x or 6.x code. For ArubaOS 10 devices, access to port UDP/8211 must be blocked from all untrusted networks.
Qualys Detection
Qualys customers can scan their devices with QID 44326 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-006.txt