HPE Aruba Networking Patches Critical Vulnerabilities in Access Points

HPE Aruba Networking has issued an urgent security advisory, urging customers to patch their Aruba Access Points running InstantOS and ArubaOS 10 due to the discovery of multiple critical vulnerabilities. These flaws could allow unauthenticated attackers to execute malicious code remotely, potentially leading to a complete takeover of the affected devices.

The newly identified vulnerabilities include multiple unauthenticated buffer overflow and command injection flaws in various services accessed via the PAPI (Aruba’s Access Point management protocol) UDP port (8211). These vulnerabilities are critical, with a CVSSv3 score of 9.8, indicating the high risk of unauthenticated remote code execution as a privileged user.

1. Buffer Overflow Vulnerabilities in CLI Service (CVE-2024-31466, CVE-2024-31467):
   • Exploitation through specially crafted packets could lead to remote code execution.
2. Buffer Overflow Vulnerabilities in Central Communications Service (CVE-2024-31468, CVE-2024-31469):
   • Similar exploitation method leading to remote code execution.
3. Buffer Overflow Vulnerability in SAE Service (CVE-2024-31470):
   • Targeting the SAE service for remote code execution.
4. Command Injection Vulnerability in Central Communications Service (CVE-2024-31471):
   • Allows remote code execution via crafted packets.
5. Command Injection Vulnerabilities in Soft AP Daemon Service (CVE-2024-31472):
   • Enables remote code execution.
6. Command Injection Vulnerability in Deauthentication Service (CVE-2024-31473):
   • Potential for remote code execution.
7. Arbitrary File Deletion in CLI Service (CVE-2024-31474) and Central Communications Service (CVE-2024-31475):
   • Could disrupt normal operations and compromise system integrity.
8. Authenticated Command Injection in CLI Interface (CVE-2024-31476, CVE-2024-31477):
   • Enables privileged command execution by authenticated users.
9. Denial-of-Service (DoS) Vulnerabilities in Soft AP Daemon Service (CVE-2024-31478), Central Communications Service (CVE-2024-31479), CLI Service (CVE-2024-31480, CVE-2024-31481), and ANSI Escape Code Service (CVE-2024-31482):
   • Leads to service interruptions.
10. Sensitive Information Disclosure in CLI Service (CVE-2024-31483):
    • Authenticated access could lead to arbitrary file reading.

Affected Software Versions:

• • ArubaOS:
    • 10.5.x.x: 10.5.1.0 and below
    • 10.4.x.x: 10.4.1.0 and below
  • InstantOS:
    • 8.11.x.x: 8.11.2.1 and below
    • 8.10.x.x: 8.10.0.10 and below
    • 8.6.x.x: 8.6.0.23 and below

HPE Aruba Networking strongly recommends that customers upgrade their Aruba Access Points to the latest patched versions immediately. For those using versions of InstantOS that support the feature, enabling “cluster-security” can provide a temporary workaround. Alternatively, blocking access to port UDP/8211 from untrusted networks can mitigate the risk until patches are applied.

To fully address the identified vulnerabilities, HPE Aruba Networking recommends upgrading to the following software versions:

• ArubaOS:
  • 10.6.x.x: 10.6.0.0 and above
  • 10.5.x.x: 10.5.1.1 and above
  • 10.4.x.x: 10.4.1.1 and above
• InstantOS:
  • 8.12.x.x: 8.12.0.0 and above
  • 8.11.x.x: 8.11.2.2 and above
  • 8.10.x.x: 8.10.0.11 and above
  • 8.6.x: 8.6.0.24 and above

As of the advisory release date, HPE Aruba Networking has not identified any public discussions or exploit code targeting these vulnerabilities.

For detailed technical information and further assistance, users are encouraged to review the full security advisory from HPE Aruba Networking and contact their support services.