Aruba Networks fixes 14 vulnerabilities in access point OS, three are critical
Take action: If you are using Aruba equipment, check the OS versions - it's probably in the vulnerable range of OS. Lock down the management UDP/8211 port only to trusted networks and implement the `cluster-security` workaround if applicable. Then start patching ASAP. Aruba products are network devices, by their very nature they are exposed and difficult to lock down.
Learn More
Aruba Networks has issued updates and countermeasures for a total of 14 security issues, with three classified as critical. The advisory from Aruba indicates that these security gaps are present in various versions of their ArubaOS and InstantOS:
- ArubaOS versions 10.5 and 10.4
- InstantOS versions 8.11, 8.10, and 8.6
Older end of maintenance versions are also vulnerable, but there won't be a patch for those versions.
The critical vulnerabilities are centered around the handling of the Process Application Programming Interface (PAPI) protocol:
- CVE-2023-45614 and CVE-2023-45615, (CVSS3 score 9.8 for both) allowing potential buffer overflows in the command-line interface (CLI). These could enable attackers, without requiring authentication, to execute code remotely with elevated privileges by sending specially crafted data packets to the PAPI via UDP port 8211.
- CVE-2023-45616 (CVSS3 score 9.8) involves a buffer overflow vulnerability over PAPI within the AirWave client service, which could allow unauthenticated remote code execution as well.
The vulnerabilities CVE-2023-45617 and CVE-2023-45618, both rated CVSS 8.2, could potentially allow attackers to delete files arbitrarily, leading to a denial of service (DoS) by removing critical operating system files.
CVE-2023-45619, also with a CVSS score of 8.2, could lead to a DoS condition when an access point’s RSSI service is manipulated over PAPI.
The other CVEs related to PAPI encompass a range of issues from unauthenticated DoS attacks to authenticated remote code execution and authenticated DoS within the CLI.
To address the vulnerabilities it is recommended to upgrade the software to the following versions:
- ArubaOS 10.5.x.x: 10.5.0.1 and above
- ArubaOS 10.4.x.x: 10.4.0.3 and above
- InstantOS 8.11.x.x: 8.11.2.0 and above
- InstantOS 8.10.x.x: 8.10.0.9 and above
- InstantOS 8.6.x: 8.6.0.23 and above
For InstantOS Aruba proposes a workaround by enabling cluster-security via the cluster-security command. For ArubaOS 10 devices this is not an option. Instead access to port UDP/8211 must be blocked from all untrusted networks.
