Aruba Networks fixes 14 vulnerabilities in access point OS, three are critical
Take action: If you are using Aruba equipment, check the OS versions - it's probably in the vulnerable range of OS. Lock down the management UDP/8211 port only to trusted networks and implement the `cluster-security` workaround if applicable. Then start patching ASAP. Aruba products are network devices, by their very nature they are exposed and difficult to lock down.
Aruba Networks has issued updates and countermeasures for a total of 14 security issues, with three classified as critical. The advisory from Aruba indicates that these security gaps are present in various versions of their ArubaOS and InstantOS:
Older end of maintenance versions are also vulnerable, but there won't be a patch for those versions.
The critical vulnerabilities are centered around the handling of the Process Application Programming Interface (PAPI) protocol:
The vulnerabilities CVE-2023-45617 and CVE-2023-45618, both rated CVSS 8.2, could potentially allow attackers to delete files arbitrarily, leading to a denial of service (DoS) by removing critical operating system files.
CVE-2023-45619, also with a CVSS score of 8.2, could lead to a DoS condition when an access point’s RSSI service is manipulated over PAPI.
The other CVEs related to PAPI encompass a range of issues from unauthenticated DoS attacks to authenticated remote code execution and authenticated DoS within the CLI.
To address the vulnerabilities it is recommended to upgrade the software to the following versions:
For InstantOS Aruba proposes a workaround by enabling cluster-security via the cluster-security command. For ArubaOS 10 devices this is not an option. Instead access to port UDP/8211 must be blocked from all untrusted networks.