HPE Aruba Networking Patches Critical Vulnerabilities in Mobility Controllers and Gateways

Recently, HPE Aruba Networking announced a comprehensive update to its ArubaOS software, targeting multiple critical vulnerabilities that could potentially allow attackers to execute arbitrary code remotely and cause denial-of-service conditions. The advisory details patches for various versions of ArubaOS, affecting a wide range of products including Mobility Conductors, Mobility Controllers, and several Gateway devices managed by Aruba Central.

Critical Vulnerabilities Exposed

Several severe vulnerabilities have been disclosed, all sharing critical CVSSv3 scores of 9.8, indicative of their severity and potential impact:

• CVE-2024-26305: An unauthenticated buffer overflow vulnerability within the Utility Daemon accessible via the PAPI protocol, allowing remote code execution.
• CVE-2024-26304: Similar to CVE-2024-26305, this buffer overflow affects the L2/L3 Management Service, also exploitable via the PAPI protocol.
• CVE-2024-33511: Another critical buffer overflow vulnerability located in the Automatic Reporting Service.
• CVE-2024-33512: This vulnerability impacts the Local User Authentication Database, potentially leading to unauthenticated remote code execution.
• Multiple Denial-of-Service Vulnerabilities: Including CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, and CVE-2024-33517, which can disrupt normal operations of services such as the AP Management and Radio Frequency Manager.

These vulnerabilities were identified through HPE Aruba Networking’s bug bounty program, with significant contributions from security researchers such as Chancen and XiaoC from Moonlight Bug Hunter.

The Urgency of Updates

The vulnerabilities affect multiple versions of ArubaOS, with patches provided for versions from 8.10.x.x up to 10.5.x.x. Notably, earlier versions of the software, such as ArubaOS 10.3.x.x and several SD-WAN software versions, which are already out of maintenance, will not receive these updates. This leaves devices running these versions particularly vulnerable to attacks, emphasizing the importance of maintaining up-to-date software on all network devices.

Mitigation and Workarounds

For systems running ArubaOS 8.x, HPE Aruba advises enabling the Enhanced PAPI Security feature using a non-default key to mitigate these vulnerabilities. However, for the more recent ArubaOS 10.x, users are urged to upgrade to the latest recommended versions to resolve the issues described. It is important to note that there are no workarounds for certain vulnerabilities in the 10.x versions; thus, upgrading is the only secure option.

Upgrade Paths and Recommendations

Users of affected products are recommended to upgrade to the following versions of ArubaOS, which contain fixes for the vulnerabilities mentioned:

• ArubaOS 10.6.x.x: Version 10.6.0.0 and above
• ArubaOS 10.5.x.x: Version 10.5.1.1 and above
• ArubaOS 10.4.x.x: Version 10.4.1.1 and above
• ArubaOS 8.11.x.x: Version 8.11.2.2 and above
• ArubaOS 8.10.x.x: Version 8.10.0.11 and above