Hewlett Packard Enterprise (HPE) released updates for Instant AOS-8 and AOS-10 software to address two critical vulnerabilities in Aruba Networking Access Points.

The two security issues could allow a remote attacker to perform unauthenticated command injection by sending specially crafted packets to Aruba’s Access Point management protocol (PAPI) over UDP port 8211.

The critical flaws are tracked as CVE-2024-42509 and CVE-2024-47460, and have been assessed with a severity score of 9.8 and 9.0, respectively. Both are in the command line interface (CLI) service, which is accessed via the PAPI protocol.

The update also fixes another four security vulnerabilities:

• CVE-2024-47461 (7.2 severity score): authenticated remote command execution that could allow an attacker to execute arbitrary commands on the underlying operating system
• CVE-2024-47462 and CVE-2024-47463 (7.2 severity score): an authenticated attacker could create arbitrary files, potentially leading to remote command execution
• CVE-2024-47464 (6.8 severity score): an authenticated attacker exploiting it could access unauthorized files via path traversal

All six vulnerabilities impact AOS-10.4.x.x: 10.4.1.4 and older releases, Instant AOS-8.12.x.x: 8.12.0.2 and below, and Instant AOS-8.10.x.x: 8.10.0.13 and older versions.

HPE notes in the security advisory that several more versions of the software that have reached their End of Maintenance dates are also impacted by these flaws there will be no security updates for them.

Fixes and workarounds

To address vulnerabilities in Aruba Networking Access Points, HPE recommends users to update their devices to the following software versions or newer:

• AOS-10.7.x.x: Update to version 10.7.0.0 and later.
• AOS-10.4.x.x: Update to version 10.4.1.5 or later.
• Instant AOS-8.12.x.x: Update to version 8.12.0.3 or newer.
• Instant AOS-8.10.x.x: Update to version 8.10.0.14 or above

HPE has also provided workarounds for all six flaws to help in cases where software updates cannot be immediately installed:

For the two critical flaws, the proposed workaround is to restrict/block access to the UDP port 8211 from all untrusted networks.

For the rest of the issues, the vendor recommends restricting access to the CLI and web-based management interfaces by placing them on a dedicated layer 2 segment or VLAN, and to control access with firewall policies at layer 3 and above, which would limit potential exposure.

No active exploitation of the flaws has been observed, but applying the security updates and/or mitigations comes as a strong recommendation.