HPE Aruba Networking Addresses Severe Vulnerabilities in Access Points

HPE Aruba Networking has released security updates to address multiple critical vulnerabilities in its Aruba Access Points running InstantOS and ArubaOS 10. These vulnerabilities could potentially allow unauthorized remote attackers to execute arbitrary code and take control of affected systems.

Critical Flaws in Soft AP Daemon and AP Certificate Management Services

The most severe vulnerabilities with a CVSS score of 9.8, identified as CVE-2024-42393, CVE-2024-42394, and CVE-2024-42395, reside in the Soft AP Daemon Service and AP Certificate Management Service. Successful exploitation of these flaws could enable attackers to remotely execute commands on the underlying operating system, leading to a complete system compromise.

Other Vulnerabilities and Mitigations

In addition to the critical flaws, the security advisory also addresses several moderate vulnerabilities in the OpenSSH daemon and PAPI protocol. These vulnerabilities could lead to remote code execution and denial-of-service attacks, respectively.

HPE Aruba Networking strongly recommends that customers upgrade their Access Points to the latest software versions to mitigate these risks. Specific patches and updated versions are available for InstantOS 8.12.x.x, InstantOS 8.10.x.x, ArubaOS 10.6.x.x, and ArubaOS 10.4.x.x.

Urgency for Older Versions

Customers running end-of-maintenance software versions are particularly vulnerable, as these versions are not covered by the security advisory. HPE Aruba Networking urges users of these older versions to migrate to supported branches as soon as possible.

Workarounds and Additional Recommendations

While upgrading is the most effective solution, HPE Aruba Networking has also provided workarounds for some vulnerabilities. These involve enabling cluster security or blocking access to specific ports from untrusted networks.

Furthermore, HPE Aruba Networking recommends restricting access to CLI and web-based management interfaces to a dedicated network segment or VLAN and implementing firewall policies for added protection.

For detailed information on the vulnerabilities, affected products, and remediation steps, please refer to the official HPE security advisory.

Related Posts:

• HPE Aruba Networking Patches Critical Vulnerabilities in Access Points
• Aruba Networks fixes multiple vulnerabilities in Aruba Access Points
• HPE Aruba Networking Patches Critical Vulnerabilities in Mobility Controllers and Gateways
• HPE Aruba AirWave Glass Product Remote Code Execution Vulnerability
• HPE Servers Exposed: Critical Vulnerability Demands Urgent Firmware Update