• Posted by: Michael Johnson
• November 12, 2024

HPE Patches Critical Command Injection Flaws in Aruba Network APs

Hewlett Packard Enterprise (HPE) has released critical security updates addressing multiple vulnerabilities in Aruba Networking Access Point products, specifically two critical issues that allow unauthenticated command execution.

The affected products are Access Points running Instant AOS-8 and AOS-10, with vulnerabilities in the following versions:

1. AOS-10.4.x.x: 10.4.1.4 and below
2. Instant AOS-8.12.x.x: 8.12.0.2 and below
3. Instant AOS-8.10.x.x: 8.10.0.13 and below

The most severe vulnerabilities among the six addressed are CVE-2024-42509 (CVSS score: 9.8) and CVE-2024-47460 (CVSS score: 9.0). These critical flaws involve unauthenticated command injection in the CLI Service, potentially enabling the execution of arbitrary code.

According to HPE’s advisory, “Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability allows arbitrary code execution as a privileged user on the operating system.”

To mitigate CVE-2024-42509 and CVE-2024-47460, HPE advises enabling cluster security via the cluster-security command on devices running Instant AOS-8. For AOS-10 devices, HPE recommends blocking access to UDP port 8211 from all untrusted networks.

Other vulnerabilities addressed include:

1. CVE-2024-47461 (CVSS score: 7.2) - An authenticated arbitrary remote command execution (RCE) vulnerability in Instant AOS-8 and AOS-10.
2. CVE-2024-47462 and CVE-2024-47463 (CVSS scores: 7.2) - Arbitrary file creation vulnerabilities leading to authenticated remote command execution in Instant AOS-8 and AOS-10.
3. CVE-2024-47464 (CVSS score: 6.8) - An authenticated path traversal vulnerability allowing unauthorized access to files.

To further safeguard these systems, HPE recommends restricting access to CLI and web-based management interfaces by placing them within a dedicated VLAN and managing access through firewall policies at layer 3 or higher.

While there have been no reported exploits of these vulnerabilities in the wild, Arctic Wolf warns that Aruba Network access points could become a target for threat actors due to the privileged access these vulnerabilities could potentially grant. “Threat actors may attempt to reverse-engineer the patches to exploit unpatched systems in the near future,” Arctic Wolf noted.