What vulnerabilities have been identified in HPE Aruba Networking Access Points?

HPE Aruba Networking has identified multiple critical vulnerabilities in Access Points running on Instant AOS-8 and AOS-10 software, including issues that allow remote unauthenticated command execution through the PAPI protocol on UDP port 8211. Users are advised to apply recommended firmware updates.

What is CVE-2024-42509?

CVE-2024-42509 is a critical unauthenticated command injection vulnerability (CVSS score 9.8) allowing remote code execution by sending crafted packets via the PAPI protocol on UDP port 8211. It can lead to full system compromise. Mitigation steps include enabling 'cluster-security' for AOS-8 or blocking UDP/8211 access from untrusted networks for AOS-10 users.

How can CVE-2024-47460 be mitigated?

To mitigate CVE-2024-47460, which allows unauthenticated command injection, AOS-8 users should enable 'cluster-security,' while AOS-10 users should restrict UDP port 8211 access from untrusted networks.

What risks are associated with CVE-2024-47461, CVE-2024-47462, and CVE-2024-47463?

CVE-2024-47461 (authenticated command injection) allows authenticated users to run arbitrary commands, leading to potential system compromise. CVE-2024-47462 and CVE-2024-47463 permit authenticated users to create arbitrary files, potentially enabling remote code execution. Mitigations include restricting management interfaces to isolated VLANs or using firewall policies.

What is CVE-2024-47464, and how can it be mitigated?

CVE-2024-47464 is an authenticated path traversal vulnerability that allows users to access unauthorized files. Mitigation includes network segmentation and limiting access to management interfaces with firewall rules.

Which software versions are affected by these vulnerabilities?

The vulnerabilities affect critical and high-risk versions including AOS-10.4.x.x (10.4.1.4 and below), Instant AOS-8.12.x.x (8.12.0.2 and below), and Instant AOS-8.10.x.x (8.10.0.13 and below). End-of-Maintenance versions such as AOS-10.6.x.x, AOS-10.5.x.x, and Instant AOS-8.11.x.x also remain vulnerable without available patches.

What are the recommended updates to address these vulnerabilities?

HPE Aruba Networking recommends updating to AOS-10.7.x.x (version 10.7.0.0 and newer), AOS-10.4.x.x (version 10.4.1.5 and newer), Instant AOS-8.12.x.x (version 8.12.0.3 and newer), and Instant AOS-8.10.x.x (version 8.10.0.14 and newer).

Advisory

HPE Aruba Networking fixes multiple critical flaws in their Access Points with AOS-8 and AOS-10 software

published: Nov. 6, 2024

Take action: A bunch of flaws impacting HPE Aruba Access Points. If you are running those Access Points, start reviewing versions and patching. It's going to be a longer effort since these systems are usually part of a large implementation.

Learn More

HPE Aruba Networking has issued an advisory regarding multiple critical vulnerabilities affecting its Access Points operating on Instant AOS-8 and AOS-10 software versions.

These vulnerabilities, allow for remote, unauthenticated command execution by leveraging the PAPI (Aruba’s Access Point management protocol) on UDP port 8211. Affected users should apply the recommended firmware updates immediately to mitigate risks of unauthorized system compromise.

CVE-2024-42509 (CVSS score 9.8) - Unauthenticated Command Injection via PAPI Protocol - Enables unauthenticated attackers to execute arbitrary code as a privileged user by sending crafted packets to UDP port 8211, leading to full system compromise.
- Mitigation: For Instant AOS-8, enabling "cluster-security" prevents exploitation. AOS-10 users should block UDP/8211 access from untrusted networks.
CVE-2024-47460 (CVSS score 9.0) - Unauthenticated Command Injection via PAPI Protocol - Similar to CVE-2024-42509, this vulnerability also allows unauthenticated code execution on the CLI service, potentially compromising the operating system.
- Mitigation: Same as CVE-2024-42509, restricting port access or enabling "cluster-security" in AOS-8.
CVE-2024-47461 (CVSS score 7.2) - Authenticated Command Injection in CLI - Allows authenticated users to execute arbitrary commands on the operating system, which can lead to a complete system compromise.
- Mitigation: Limit CLI and management interfaces to isolated VLANs or secure with firewall policies.
CVE-2024-47462 and CVE-2024-47463 (CVSS score 7.2) - Authenticated Arbitrary File Creation - Permits authenticated users to create arbitrary files, which could then lead to remote code execution.
- Mitigation: Restrict management interfaces to specific VLANs or secure with firewall rules.
CVE-2024-47464 (CVSS score 6.8) - Authenticated Path Traversal - Allows authenticated users to access unauthorized files by copying them to a readable location on the device.
- Mitigation: Use network segmentation and firewall policies to limit management interface access.

Affected versions are:

Critical and High-Risk Versions: AOS-10.4.x.x (10.4.1.4 and below), Instant AOS-8.12.x.x (8.12.0.2 and below), and Instant AOS-8.10.x.x (8.10.0.13 and below).
End-of-Maintenance (EoM): Versions including AOS-10.6.x.x, AOS-10.5.x.x, and Instant AOS-8.11.x.x and older versions remain vulnerable without available patches.

To address these vulnerabilities, HPE Aruba Networking recommends upgrading to:

AOS-10.7.x.x: Version 10.7.0.0 and newer
AOS-10.4.x.x: Version 10.4.1.5 and newer
Instant AOS-8.12.x.x: Version 8.12.0.3 and newer
Instant AOS-8.10.x.x: Version 8.10.0.14 and newer

HPE Aruba Networking fixes multiple critical flaws in their Access Points with AOS-8 and AOS-10 software

Read More
Another Citrix NetScaler flaw gives access to sensitive …
D-Link patches remote code execution flaw in DSL-3788 …
FortiGate Firewalls Compromised Despite Recent Patches for CVE-2025-59718
OpenSSL Patches 12 Vulnerabilities Including One Critical RCE
Cisco fixes critical flaw in affecting Ultra-Reliable Wireless …