HPE Aruba release fixes for critical vulnerabilities in ArubaOS
Take action: If you are using HPE Aruba products running ArubaOS, make a review of all your systems for version of ArubaOS. It seems most of ArubaOS versions are vulnerable. If you are using ArubaOS 8, there's a workaround to apply. If you are on ArubaOS 10, patch ASAP. If you are using an end-of-life product, you should isolate it from the internet and replace it.
Learn More
HPE Aruba Networking has released a security advisory in April 2024 addressing multiple vulnerabilities in ArubaOS, the operating system used in its networking products. This advisory highlights ten vulnerabilities, including four critical-severity remote code execution (RCE) flaws that could allow remote unauthenticated attackers to execute arbitrary code. The rest of the flaws have a CVSS score of 5.9 and 5.3.
The critical vulnerabilities are as follows:
- CVE-2024-26305 (CVSS score 9.8): A vulnerability in the Utility daemon of ArubaOS that allows remote attackers to execute arbitrary code by sending specially crafted packets to the PAPI (Proprietary Aruba Point-to-Point Protocol) UDP port (8211).
- CVE-2024-26304 (CVSS score 9.8): A flaw in the L2/L3 Management service that permits unauthenticated remote code execution via crafted packets sent to the same PAPI UDP port.
- CVE-2024-33511 (CVSS score 9.8): A vulnerability in the Automatic Reporting service that can be exploited through specially crafted packets sent to the PAPI protocol port, enabling remote code execution.
- CVE-2024-33512 (CVSS score 9.8): A buffer overflow vulnerability in the Local User Authentication Database service, accessible via the PAPI protocol, that allows for remote code execution.
The impacted products include:
- HPE Aruba Networking Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.
- Versions of ArubaOS up to 10.5.1.0, 10.4.1.0, 8.11.2.1, and 8.10.0.10, along with all versions that have reached end-of-life (EoL), such as ArubaOS below 10.3 and SD-WAN versions from 2.3.0 through 8.7.0.0.
HPE Aruba advises enabling Enhanced PAPI Security (helps only for ArubaOS 8) and upgrading to the latest patched versions of ArubaOS, which addresses the critical issues and fixes the other six medium severity vulnerabilities.
The recommended target upgrade versions that address all vulnerabilities are:
- ArubaOS 10.6.0.0 and above
- ArubaOS 10.5.1.1 and above
- ArubaOS 10.4.1.1 and above
- ArubaOS 8.11.2.2 and above
- ArubaOS 8.10.0.11 and above
As of the advisory's publication, there have been no reported instances of these vulnerabilities being actively exploited or any proof-of-concept (PoC) exploits made public. HPE Aruba urges system administrators to apply the security updates promptly to protect against potential attacks.
