Hewlett Packard Enterprise (HPE) launched updates for Prompt AOS-8 and AOS-10 software program to handle two important vulnerabilities in Aruba Networking Entry Factors.
The 2 safety points may enable a distant attacker to carry out unauthenticated command injection by sending specifically crafted packets to Aruba’s Entry Level administration protocol (PAPI) over UDP port 8211.
The important flaws are tracked as CVE-2024-42509 and CVE-2024-47460, and have been assessed with a severity rating of 9.8 and 9.0, respectively. Each are within the command line interface (CLI) service, which is accessed by way of the PAPI protocol.
The replace additionally fixes one other 4 safety vulnerabilities:
- CVE-2024-47461 (7.2 severity rating): authenticated distant command execution that might enable an attacker to execute arbitrary instructions on the underlying working system
- CVE-2024-47462 and CVE-2024-47463 (7.2 severity rating): an authenticated attacker may create arbitrary information, probably resulting in distant command execution
- CVE-2024-47464 (6.8 severity rating): an authenticated attacker exploiting it may entry unauthorized information by way of path traversal
All six vulnerabilities impression AOS-10.4.x.x: 10.4.1.4 and older releases, Prompt AOS-8.12.x.x: 8.12.0.2 and beneath, and Prompt AOS-8.10.x.x: 8.10.0.13 and older variations.
HPE notes within the safety advisory that a number of extra variations of the software program which have reached their Finish of Upkeep dates are additionally impacted by these flaws there might be no safety updates for them.
Fixes and workarounds
To deal with vulnerabilities in Aruba Networking Entry Factors, HPE recommends customers to replace their gadgets to the next software program variations or newer:
- AOS-10.7.x.x: Replace to model 10.7.0.0 and later.
- AOS-10.4.x.x: Replace to model 10.4.1.5 or later.
- Prompt AOS-8.12.x.x: Replace to model 8.12.0.3 or newer.
- Prompt AOS-8.10.x.x: Replace to model 8.10.0.14 or above
HPE has additionally supplied workarounds for all six flaws to assist in circumstances the place software program updates can’t be instantly put in:
For the 2 important flaws, the proposed workaround is to limit/block entry to the UDP port 8211 from all untrusted networks.
For the remainder of the problems, the seller recommends proscribing entry to the CLI and web-based administration interfaces by putting them on a devoted layer 2 section or VLAN, and to manage entry with firewall insurance policies at layer 3 and above, which might restrict potential publicity.
No energetic exploitation of the failings has been noticed, however making use of the safety updates and/or mitigations comes as a robust suggestion.