Hewlett Packard Enterprise (HPE) has released security updates to address multiple vulnerabilities impacting Aruba Networking Access Point products, including two critical bugs that could result in unauthenticated command execution.
The flaws affect Access Points running Instant AOS-8 and AOS-10 –
The most severe among the six newly patched vulnerabilities are CVE-2024-42509 (CVSS score: 9.8) and CVE-2024-47460 (CVSS score: 9.0), two critical unauthenticated command injection flaws in the CLI Service that could result in the execution of arbitrary code.
“Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211),” HPE said in an advisory for both the flaws.
“Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.”
It’s advised to enable cluster security via the cluster-security command to mitigate CVE-2024-42509 and CVE-2024-47460 on devices running Instant AOS-8 code. However, for AOS-10 devices, the company recommends blocking access to UDP port 8211 from all untrusted networks.
Also resolved by HPE are four other vulnerabilities –
As workarounds, users are being urged to restrict access to CLI and web-based management interfaces by placing them within a dedicated VLAN, and controlling them via firewall policies at layer 3 and above.
“Although Aruba Network access points have not previously been reported as exploited in the wild, they are an attractive target for threat actors due to the potential access these vulnerabilities could provide through privileged user RCE,” Arctic Wolf said. “Additionally, threat actors may attempt to reverse-engineer the patches to exploit unpatched systems in the near future.”