Aruba access points running AOS-8 and AOS-10 need to be patched urgently after HPE emitted fixes for three critical flaws in its networking subsidiary’s networking access points.
The issues would allow an unauthenticated attacker to run code on Aruba’s systems by sending carefully crafted packets to UDP port 8211, the operating system’s Proprietary Access Protocol Interface (PAPI), which would provide that miscreant privileged access to the equipment.
The three vulnerabilities – CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507 – are all rated 9.8 out of 10 on the CVSS severity scale.
The flaws affect versions of AOS 10.6.x.x (up to and including 10.6.0.2), as well as Instant AOS 8.12.x.x (8.12.0.1 and earlier versions). HPE is also warning that end-of-life code, including AOS 10.5 and 10.3, and Instant AOS-8.11 – as well as earlier incarnations – and the advice is to upgrade these systems to get protection.
“Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in devices running Instant AOS-8.x code,” HPE advised in its security alert. “For AOS-10 devices this is not an option and instead access to UDP port 8211 must be blocked from all untrusted networks.”
- Patch up – 4 critical bugs in ArubaOS lead to remote code execution
- Aruba’s AI strategy cuts the backchat, talks network automation instead
- HPE bakes LLMs into Aruba as AI inches closer to network takeover
It’s not the first time PAPI has been shown to have serious problems this year. Back in May, four critical flaws in the system were fixed by Aruba after proof of concept exploit code was released, and then issued more patches less than a week later.
These patches will be of particular concern to sysadmins wi