HPE Aruba Networking fixes 4 vital RCE flaws in ArubaOS

HPE Aruba Networking has issued its April 2024 safety advisory detailing vital distant code execution (RCE) vulnerabilities impacting a number of variations of ArubaOS, its proprietary community working system.

The advisory lists ten vulnerabilities, 4 of that are critical-severity (CVSS v3.1: 9.8) unauthenticated buffer overflow issues that may result in distant code execution (RCE).

Merchandise impacted by the newly disclosed flaws are:

• HPE Aruba Networking Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.
• ArubaOS 10.5.1.0 and beneath, 10.4.1.0 and older, 8.11.2.1 and beneath, and eight.10.0.10 and older.
• All variations of ArubaOS and SD-WAN which have reached EoL. This contains ArubaOS beneath 10.3, 8.9, 8.8, 8.7, 8.6, 6.5.4, and SD-WAN 2.3.0 by way of 8.7.0.0 and a pair of.2 by way of 8.6.0.4.

The 4 vital distant code execution flaws are: 

• CVE-2024-26305 – Flaw in ArubaOS’s Utility daemon permitting an unauthenticated attacker to execute arbitrary code remotely by sending specifically crafted packets to the PAPI (Aruba’s entry level administration protocol) UDP port (8211).
• CVE-2024-26304 – Flaw within the L2/L3 Administration service, allowing unauthenticated distant code execution by way of crafted packets despatched to the PAPI UDP port.
• CVE-2024-33511 – Vulnerability within the Automated Reporting service that may be exploited by sending specifically crafted packets to the PAPI protocol port to permit unauthenticated attackers to execute arbitrary code remotely.
• CVE-2024-33512 – Flaw permitting unauthenticated distant attackers to execute code by exploiting a buffer overflow within the Native Consumer Authentication Database service accessed by way of the PAPI protocol.

To mitigate the failings the seller recommends enabling Enhanced PAPI Safety and upgrading to patched variations for ArubaOS.

The most recent variations additionally handle one other six vulnerabilities, all rated “medium” in severity (CVSS v3.1: 5.3 – 5.9) which might permit unauthenticated attackers to create denial of service on susceptible gadgets and trigger pricey operational disruptions.

The goal improve variations that handle all ten flaws are:

• ArubaOS 10.6.0.0 and above 
• ArubaOS 10.5.1.1 and above 
• ArubaOS 10.4.1.1 and above 
• ArubaOS 8.11.2.2 and above 
• ArubaOS 8.10.0.11 and above 

Right now, HPE Aruba Networking will not be conscious of any instances of lively exploitation or the existence of proof-of-concept (PoC) exploits for the talked about vulnerabilities.

Nonetheless, system directors are beneficial to use the accessible safety updates as quickly as doable.