Aruba Networks Issues Security Advisory for Critical Buffer Overflow Vulnerabilities

In a recent security advisory, Aruba Networks has disclosed 14 security flaws, including three critical-severity vulnerabilities, affecting multiple versions of ArubaOS, its proprietary network operating system. These vulnerabilities impact a wide range of Aruba access points running InstantOS and ArubaOS 10, potentially putting corporate networks at risk of remote code execution attacks.

Critical Buffer Overflow Vulnerabilities in PAPI Protocol

The critical flaws, identified as CVE-2023-45614, CVE-2023-45615, and CVE-2023-45616, carry a CVSS v3 rating of 9.8 out of 10.0, indicating their high severity. These vulnerabilities, categorized as buffer overflows, reside in the PAPI protocol, Aruba’s proprietary access point management protocol.

Exploitation of these vulnerabilities allows an attacker to execute arbitrary code as a privileged user on the affected device, potentially gaining complete control over the network. The vulnerabilities can be triggered by sending specially crafted packets to the PAPI UDP port (8211).

Affected Software Versions

The following ArubaOS and InstantOS versions are affected by these critical vulnerabilities:

• ArubaOS 10.5.x.x: 10.5.0.0 and below
• ArubaOS 10.4.x.x: 10.4.0.2 and below
• InstantOS 8.11.x.x: 8.11.1.2 and below
• InstantOS 8.10.x.x: 8.10.0.8 and below
• InstantOS 8.6.x.x: 8.6.0.22 and below

Mitigation and Updates Available

Aruba Networks has released software updates to address these vulnerabilities. The recommended target upgrade versions are:

• ArubaOS 10.5.x.x: 10.5.0.1 and above
• ArubaOS 10.4.x.x: 10.4.0.3 and above
• InstantOS 8.11.x.x: 8.11.2.0 and above
• InstantOS 8.10.x.x: 8.10.0.9 and above
• InstantOS 8.6.x.x: 8.6.0.23 and above

Affected users must upgrade their ArubaOS or InstantOS installations to the latest versions immediately to mitigate the risk of exploitation.

End-of-Life Products Remain Vulnerable

Unfortunately, several versions of ArubaOS and InstantOS that have reached their End of Life (EoL) are also affected and will not receive updates to rectify these vulnerabilities. These include:

• ArubaOS 10.3.x.x: all
• InstantOS 8.9.x.x: all
• InstantOS 8.8.x.x: all
• InstantOS 8.7.x.x: all
• InstantOS 8.5.x.x: all
• InstantOS 8.4.x.x: all
• InstantOS 6.5.x.x: all
• InstantOS 6.4.x.x: all

Users of these EoL products are advised to consider migrating to supported versions or implementing additional security measures to protect their networks.

No Public Exploits or Active Exploitation Known

Aruba Networks has stated that it is unaware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory. However, users need to remain vigilant and apply the available security updates promptly to minimize the risk of future attacks.