CVSS 9.8 Vulnerabilities Expose Aruba Access Points to RCE: HPE Urges Immediate Action

The Hewlett Packard Enterprise (HPE) Product Security Response Team has issued a critical advisory concerning multiple command injection vulnerabilities (CVE-2024-42505, CVE-2024-42506, CVE-2024-42507) affecting Aruba Access Points running Instant AOS-8 and AOS-10. These vulnerabilities, each with a CVSS score of 9.8, expose affected devices to remote code execution (RCE) attacks, putting enterprise networks at serious risk.

Exploit Potential and Severity:

The vulnerabilities arise from command injection flaws in the underlying CLI service, accessible through the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Unauthenticated attackers can exploit these flaws by sending specially crafted packets, leading to potential remote code execution with privileged access on the affected devices.

Scope of Impact:

The vulnerabilities impact Aruba Access Points running the following software versions:

• AOS-10.6.x.x: Versions 10.6.0.2 and below
• AOS-10.4.x.x: Versions 10.4.1.3 and below
• Instant AOS-8.12.x.x: Versions 8.12.0.1 and below
• Instant AOS-8.10.x.x: Versions 8.10.0.13 and below

Additionally, several software versions have reached their End of Support Life (EoSL) and are no longer covered by this advisory. Affected customers running EoSL versions, such as AOS-10.5.x.x and Instant AOS-8.11.x.x, are strongly urged to upgrade to a supported version immediately to ensure their systems remain secure.

While there are no known public discussions or exploits targeting these specific vulnerabilities at the time of the advisory’s release, the severity of the flaws means that attackers could quickly develop malicious code once the vulnerability details are widely circulated. With over 9.8 CVSS scores, these vulnerabilities are classified as highly critical, necessitating immediate action.

Mitigation and Remediation:

While software patches are available to address these vulnerabilities, HPE Aruba Networking recommends immediate interim measures:

• Cluster-Security for Instant AOS-8 Devices: Enabling the cluster-security feature via the cluster-security command will prevent exploitation of the vulnerability in devices running Instant AOS-8.x software.
• Block PAPI Port for AOS-10 Devices: For AOS-10 devices, since cluster-security is not available, access to UDP port 8211 (PAPI protocol) must be blocked from all untrusted networks. This prevents attackers from reaching the vulnerable service and injecting malicious commands.

Recommended Updates

To fully address the vulnerabilities, HPE Aruba Networking has released patched software versions for all affected devices. Customers are urged to upgrade to one of the following versions:

• AOS-10.7.x.x: Version 10.7.0.0 and above
• AOS-10.6.x.x: Version 10.6.0.3 and above
• AOS-10.4.x.x: Version 10.4.1.4 and above
• Instant AOS-8.12.x.x: Version 8.12.0.2 and above
• Instant AOS-8.10.x.x: Version 8.10.0.14 and above

Upgrading to these patched versions ensures that the vulnerabilities are fully addressed, securing Aruba Access Points against potential attacks.

Related Posts:

• Aruba Networks fixes multiple vulnerabilities in Aruba Access Points
• HPE Aruba Networking Addresses Severe Vulnerabilities in Access Points
• HPE Aruba Networking Patches Critical Vulnerabilities in Access Points
• HPE Aruba Networking Patches Critical Vulnerabilities in Mobility Controllers and Gateways