Aruba Networks fixes multiple vulnerabilities in Aruba Access Points

In the constantly evolving world of computer networking and wireless connectivity solutions, Aruba Networks, a California-based subsidiary of Hewlett Packard Enterprise, has carved a niche for itself with its cutting-edge technology. However, the security landscape is fraught with challenges, and even the most robust solutions are not entirely immune to them.

Aruba has recently issued patches for multiple security vulnerabilities found in its ArubaOS 10 and Aruba InstantOS, which were affecting its access points.

PAPI Protocol Buffer Overflow Vulnerabilities (CVE-2023-22779 to CVE-2023-22786)

The first series of vulnerabilities are buffer overflow vulnerabilities affecting multiple underlying services that can be accessed via the PAPI (Aruba’s access point management protocol) UDP port (8211). This could potentially allow an unauthenticated remote code execution by sending specially crafted packets to the port.

With a CVSSv3 Overall Score of 9.8, the severity of these vulnerabilities is critical, as successful exploitation would result in the ability to execute arbitrary code as a privileged user on the underlying operating system. These vulnerabilities were discovered by Erik de Jong, through Aruba’s bug bounty program.

Aruba has managed to patch these vulnerabilities in ArubaOS 10.4.x, Aruba InstantOS 8.11.x, and 8.10.x. For devices running older or unnamed branches, Aruba has recommended enabling cluster-security via the cluster-security command or blocking access to UDP/8211 from untrusted networks as a workaround.

Unauthenticated Denial of Service (DoS) Vulnerability (CVE-2023-22787)

Next, an unauthenticated Denial of Service (DoS) vulnerability was discovered by Daniel Jensen, again through Aruba’s bug bounty program. This vulnerability, existing in a service accessed via the PAPI protocol, could disrupt the normal operation of the affected access point, scoring a 7.5 on the CVSSv3 Overall Score. The recommended workaround for this vulnerability is to block access to port UDP/8211 from all untrusted networks.

Authenticated Remote Command Execution Vulnerabilities (CVE-2023-22788 to CVE-2023-22790)

Further vulnerabilities discovered by Daniel Jensen include multiple authenticated command injection vulnerabilities in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation would result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. The CVSSv3 Overall Score for these vulnerabilities is 7.2. Specific workarounds for these vulnerabilities can be found in the advisory document provided by Aruba.

Sensitive Information Disclosure Vulnerability (CVE-2023-22791)

Lastly, a sensitive information disclosure vulnerability was discovered by Zack Colgan of ClearBearing. Under an edge-case combination of network configuration, a specific WLAN environment, and an attacker possessing valid user credentials, potentially sensitive information can be disclosed via the WLAN. This vulnerability has a CVSSv3 Overall Score of 5.4, with no current workaround.

Keeping the Network Secure

Aruba has rolled out patches to address these vulnerabilities. Customers are urged to update to the recommended versions to ensure the safety of their networks. For those who can’t upgrade immediately, workarounds have been provided. In general, Aruba recommends restricting the CLI and web-based management interfaces to a dedicated layer 2 segment/VLAN or controlling them by firewall policies at layer 3 and above.

It’s important to note that as of the publication of this advisory, Aruba is not aware of any public discussion or exploit code targeting these specific vulnerabilities.