HPE Aruba Networking has released patches for Aruba access points running InstantOS and ArubaOS 10 that address multiple security vulnerabilities.
Severity | Critical |
CVSSv3 Overall Score | 9.8 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities result in the ability to execute arbitrary code as a privileged user on the underlying operating system.
HPE Aruba Networking
- Aruba Access Points running InstantOS and ArubaOS 10
- ArubaOS 10.4.x.x: 10.4.0.1 and below
- InstantOS 8.11.x.x: 8.11.1.0 and below
- InstantOS 8.10.x.x: 8.10.0.6 and below
- InstantOS 8.6.x.x: 8.6.0.20 and below
- InstantOS 6.5.x.x: 6.5.4.24 and below
- InstantOS 6.4.x.x: 6.4.4.8-4.2.4.21 and below
- ArubaOS 10.3.x.x: all
- InstantOS 8.9.x.x: all
- InstantOS 8.8.x.x: all
- InstantOS 8.7.x.x: all
- InstantOS 8.5.x.x: all
- InstantOS 8.4.x.x: all
Aruba Mobility Conductor, Aruba Mobility Controllers, Access-Points when managed by Mobility Controllers and Aruba SD-WAN Gateways are not affected by these vulnerabilities. Aruba Instant On is also not affected by these vulnerabilities.
Remediation
To address the vulnerabilities described above for the affected release branches, it is recommended to upgrade the software to the following versions:
- ArubaOS 10.4.x.x: 10.4.0.2 and above
- InstantOS 8.11.x.x: 8.11.1.1 and above
- InstantOS 8.10.x.x: 8.10.0.7 and above
- InstantOS 8.6.x: 8.6.0.21 and above
- InstantOS 6.5.x: 6.5.4.25 and above
- InstantOS 6.4.x: 6.4.4.8-4.2.4.22 and above
Workaround
To minimize the likelihood of an attacker exploiting these vulnerabilities, Group K recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.
Sources
- https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-009.txt
- https://nvd.nist.gov/vuln/detail/CVE-2022-25667