Hewlett Packard Enterprise (HPE) launched updates for Prompt AOS-8 and AOS-10 software program to handle two essential vulnerabilities in Aruba Networking Entry Factors.
The 2 safety points might enable a distant attacker to carry out unauthenticated command injection by sending specifically crafted packets to Aruba’s Entry Level administration protocol (PAPI) over UDP port 8211.
The essential flaws are tracked as CVE-2024-42509 and CVE-2024-47460, and have been assessed with a severity rating of 9.8 and 9.0, respectively. Each are within the command line interface (CLI) service, which is accessed by way of the PAPI protocol.
The replace additionally fixes one other 4 safety vulnerabilities:
- CVE-2024-47461 (7.2 severity rating):Â authenticated distant command execution that might enable an attacker to execute arbitrary instructions on the underlying working system
- CVE-2024-47462 and CVE-2024-47463 (7.2 severity rating): an authenticated attacker might create arbitrary recordsdata, probably resulting in distant command execution
- CVE-2024-47464 (6.8 severity rating): an authenticated attacker exploiting it might entry unauthorized recordsdata by way of path traversal
All six vulnerabilities affect AOS-10.4.x.x: 10.4.1.4 and older releases, Prompt AOS-8.12.x.x: 8.12.0.2 and under, and Prompt AOS-8.10.x.x: 8.10.0.13 and older variations.
HPE notes within the safety advisory that a number of extra variations of the software program which have reached their Finish of Upkeep dates are additionally impacted by these flaws there shall be no safety updates for them.
Fixes and workarounds
To deal with vulnerabilities in Aruba Networking Entry Factors, HPE recommends customers to replace their gadgets to the next software program variations or newer:
- AOS-10.7.x.x: Replace to model 10.7.0.0 and later.
- AOS-10.4.x.x: Replace to model 10.4.1.5 or later.
- Prompt AOS-8.12.x.x: Replace to model 8.12.0.3 or newer.
- Prompt AOS-8.10.x.x: Replace to model 8.10.0.14 or above
HPE has additionally offered workarounds for all six flaws to assist in circumstances the place software program updates can’t be instantly put in:
For the 2 essential flaws, the proposed workaround is to limit/block entry to the UDP port 8211 from all untrusted networks.
For the remainder of the problems, the seller recommends proscribing entry to the CLI and web-based administration interfaces by inserting them on a devoted layer 2 phase or VLAN, and to regulate entry with firewall insurance policies at layer 3 and above, which might restrict potential publicity.
No lively exploitation of the issues has been noticed, however making use of the safety updates and/or mitigations comes as a powerful suggestion.
