Only upgrading to a secure version will protect your network devices from hacking.
This week, Aruba Networks, a subsidiary of Hewlett Packard Enterprise (HPE), provided information about ten vulnerabilities in the ArubaOS operating system, of which four are classified as critical. They can lead to execution of arbitrary code with user privileges.
All critical vulnerabilities have a CVSS score of 9.8 and are associated with buffer overflow, affecting various system components. Exactly:
The PoC exploit code has not yet been released, but the security guidelines state that all four components are accessed via UDP port 8211 of the Aruba Application Programming Interface (PAPI), and sending specially crafted packets can lead to arbitrary code execution.
Devices such as Aruba Mobility Conductors, Mobility Controllers, and WLAN and SD-WAN gateways managed through Aruba Central are affected.
The list of software versions that need to be updated is as follows: ArubaOS 10.5. x. x: 10.5.1.0 and below; ArubaOS 10.4.x. x: 10.4.1.0 and below; ArubaOS 8.11. x. x: 8.11.2.1 and below; ArubaOS 8.10. x. x: 8.10.0.10 and below.
There is also a list of software versions that are vulnerable to the above security issues but no longer receive technical support: ArubaOS 10.3. x. x; ArubaOS 8.9. x. x; ArubaOS 8.8. x. x; ArubaOS 8.7. x. x; ArubaOS 8.6. x. x; ArubaOS 6.5.4. x; SD-WAN 8.7.0.0-2.3.0. x; SD-WAN 8.6.0.4-2.2. x. x.
In addition, the company reported six medium-severity denial-of-service (DoS) vulnerabilities. All of them have a critical rating from 5.3 to 5.9 on the CVSS scale and have the following identifiers: CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, CVE-2024-33517, CVE-2024-33518.
To temporarily resolve the issue, you can enable PAPI security features using a non-standard key. However, network administrators are strongly encouraged to apply all available patches as soon as possible to prevent any potential attacks.
This week, Aruba Networks, a subsidiary of Hewlett Packard Enterprise (HPE), provided information about ten vulnerabilities in the ArubaOS operating system, of which four are classified as critical. They can lead to execution of arbitrary code with user privileges.
All critical vulnerabilities have a CVSS score of 9.8 and are associated with buffer overflow, affecting various system components. Exactly:
- CVE-2024-26305 affects service daemon in ArubaOS;
- CVE-2024-26304 affects the L2/L3 management service in ArubaOS;
- CVE-2024-33511 affects automatic reporting service in ArubaOS;
- CVE-2024-33512 affects the ArubaOS local user authentication database.
The PoC exploit code has not yet been released, but the security guidelines state that all four components are accessed via UDP port 8211 of the Aruba Application Programming Interface (PAPI), and sending specially crafted packets can lead to arbitrary code execution.
Devices such as Aruba Mobility Conductors, Mobility Controllers, and WLAN and SD-WAN gateways managed through Aruba Central are affected.
The list of software versions that need to be updated is as follows: ArubaOS 10.5. x. x: 10.5.1.0 and below; ArubaOS 10.4.x. x: 10.4.1.0 and below; ArubaOS 8.11. x. x: 8.11.2.1 and below; ArubaOS 8.10. x. x: 8.10.0.10 and below.
There is also a list of software versions that are vulnerable to the above security issues but no longer receive technical support: ArubaOS 10.3. x. x; ArubaOS 8.9. x. x; ArubaOS 8.8. x. x; ArubaOS 8.7. x. x; ArubaOS 8.6. x. x; ArubaOS 6.5.4. x; SD-WAN 8.7.0.0-2.3.0. x; SD-WAN 8.6.0.4-2.2. x. x.
In addition, the company reported six medium-severity denial-of-service (DoS) vulnerabilities. All of them have a critical rating from 5.3 to 5.9 on the CVSS scale and have the following identifiers: CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, CVE-2024-33517, CVE-2024-33518.
To temporarily resolve the issue, you can enable PAPI security features using a non-standard key. However, network administrators are strongly encouraged to apply all available patches as soon as possible to prevent any potential attacks.
