[CRITICAL] Vulnerability Notification: HPE Aruba Access Points Multiple Vulnerabilities (ARUBA-PSA-2023-009)


HPE Aruba Networking has released patches for Aruba access points running InstantOS and ArubaOS 10 that address multiple security vulnerabilities.

SeverityCritical
CVSSv3 Overall Score9.8
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

HPE Aruba Networking

  1. Aruba Access Points running InstantOS and ArubaOS 10
Affected Software Versions:
  1. ArubaOS 10.4.x.x: 10.4.0.1 and below
  2. InstantOS 8.11.x.x: 8.11.1.0 and below
  3. InstantOS 8.10.x.x: 8.10.0.6 and below
  4. InstantOS 8.6.x.x: 8.6.0.20 and below
  5. InstantOS 6.5.x.x: 6.5.4.24 and below
  6. InstantOS 6.4.x.x: 6.4.4.8-4.2.4.21 and below
The following software versions that are End of Support are affected by these vulnerabilities and are not patched by this advisory:
  1. ArubaOS 10.3.x.x: all
  2. InstantOS 8.9.x.x: all
  3. InstantOS 8.8.x.x: all
  4. InstantOS 8.7.x.x: all
  5. InstantOS 8.5.x.x: all
  6. InstantOS 8.4.x.x: all
Unaffected Products

Aruba Mobility Conductor, Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways are not affected by these vulnerabilities. Aruba Instant On is also not affected by these vulnerabilities.

Remediation

To address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions:

  1. ArubaOS 10.4.x.x: 10.4.0.2 and above
  2. InstantOS 8.11.x.x: 8.11.1.1 and above
  3. InstantOS 8.10.x.x: 8.10.0.7 and above
  4. InstantOS 8.6.x: 8.6.0.21 and above
  5. InstantOS 6.5.x: 6.5.4.25 and above
  6. InstantOS 6.4.x: 6.4.4.8-4.2.4.22 and above
Group K recommends network administrators to prioritize this vulnerability and assess whether the proposed courses of action can be taken.

Workaround

To minimize the likelihood of an attacker exploiting these vulnerabilities, Group K recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.

Sources

  1. https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-009.txt
  2. https://nvd.nist.gov/vuln/detail/CVE-2022-25667 
Please contact support@group-k.be if any assistance is needed.

Most recent posts

BY e-mail

Subscribe to newsletter

Stay connected with us and keep up with the latest industry news, insights, and company updates by subscribing to our newsletter. Stay UP-TO-DATE!

Blog

In the spotlight

“Empowering businesses to thrive in the digital age”

Collaboration is at the heart of everything we do at Group K. We believe in forging strong partnerships with our clients, enabling us to understand their specific needs and deliver solutions that drive lasting results. Our team is committed to providing unparalleled customer support, ensuring that we are always available to answer questions, provide guidance, and offer expert advice.

How can we help?

Discover our dedicated support team to help you

Expert advice?

We provide tailored recommendations to help you optimize your IT infrastructure.