Hacker reports simultaneous fixing of four RCE vulnerabilities in ArubaOS

by

HPE Aruba Networking (formerly Aruba Networks) has released patches to address critical vulnerabilities in ArubaOS that could lead to remote code execution (RCE) on affected systems.

Total in security bulletin The company lists ten vulnerabilities, four of which are rated as critical (CVSS score 9.8) and involve unauthenticated buffer overflows that could lead to remote code execution.

Advertisement

The vulnerabilities affect:

  • HPE Aruba Networking Mobility Conductor, Mobility Controllers, WLAN Gateways and SD-WAN Gateways managed by Aruba Central;
  • ArubaOS 10.5.1.0 and below, 10.4.1.0 and above, 8.11.2.1 and below, 8.10.0.10 and above;
  • All versions of ArubaOS and SD-WAN that are no longer supported (including ArubaOS below 10.3, 8.9, 8.8, 8.7, 8.6, 6.5.4 and SD-WAN 2.3.0 to 8.7.0.0 and 2.2 to 8.6.0.4).

The four critical vulnerabilities mentioned include:

  • CVE-2024-26305 – An issue in the Utility daemon in ArubaOS that allows an unauthenticated attacker to remotely execute arbitrary code by sending specially crafted packets to the PAPI UDP port (8211).
  • CVE-2024-26304 — a vulnerability in the L2/L3 Management service that allows an unauthenticated attacker to remotely execute arbitrary code via specially crafted packets sent to the PAPI UDP port;
  • CVE-2024-33511 — a vulnerability in the Automatic Reporting service, which can be exploited by sending specially modified packets to the PAPI port, which also allows unauthenticated attackers to remotely execute arbitrary code;
  • CVE-2024-33512 – a bug that allows unauthenticated remote attackers to execute code using a buffer overflow in the Local User Authentication Database service, which is accessed via the PAPI protocol.

The latest versions of ArubaOS also address six more vulnerabilities (CVSS scores 5.3 to 5.9) that could allow unauthorized attackers to cause a denial of service on vulnerable devices.

All bugs have been fixed in ArubaOS 10.6.0.0 and higher, ArubaOS 10.5.1.1 and higher, ArubaOS 10.4.1.1 and higher, ArubaOS 8.11.2.2 and higher, and ArubaOS 8.10.0.11 and higher.

Advertisement

As a temporary protective measure, developers recommend that owners of devices running unsupported versions of ArubaOS 8.x enable the feature Enhanced PAPI Securityusing a non-default key.

Advertisement