HPE patches three critical flaws in Aruba access points
Take action: If you are running HPE Aruba access points, block access to UDP 8211 from untrusted networks, then patch. Exploiting will require either access to the same network or a malware on a device in the same network. You have some time to fix things without too much worry, but don't forget to patch.
Learn More
Hewlett Packard Enterprise (HPE) Aruba has released critical patches for three severe vulnerabilities in its ArubaOS systems, which impact Aruba Access Points running AOS-8 and AOS-10.
- CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507 (all CVSS Score 9.8) affect the Proprietary Access Protocol Interface (PAPI), which listens on UDP port 8211. An unauthenticated attacker can exploit these flaws by sending specially crafted packets to this port, allowing remote code execution with privileged access.
Affected Versions:
- AOS-10.6.x.x (up to and including 10.6.0.2)
- Instant AOS-8.12.x.x (including 8.12.0.1 and earlier versions)
- AOS-10.5.x.x and AOS-10.3.x.x (End-of-life versions)
- Instant AOS-8.11.x.x and earlier versions
Mitigation and Recommendations:
- For Instant AOS-8.x systems: Enable cluster-security via the CLI command cluster-security to prevent exploitation.
- For AOS-10 systems: Blocking access to UDP port 8211 from all untrusted networks is recommended, as the cluster-security feature is unavailable for these devices.
- Patches are available for the affected systems and can be downloaded from the HPE Aruba Networking Support Portal.
