HPE Aruba Access Points have Critical Command Injection Vulnerabilities

Overview

Hewlett Packard Enterprise (HPE) Aruba Networking has identified multiple critical security vulnerabilities affecting its Access Points running Instant AOS-8 and AOS-10.

The vulnerabilities, tracked under several CVEs including CVE-2024-42509 and CVE-2024-47460, could allow unauthenticated attackers to remotely execute commands on the device, potentially compromising the underlying operating system. HPE has issued patches to address these issues, and users are urged to upgrade as soon as possible.

These vulnerabilities impact widely deployed HPE Aruba Access Points and pose significant risks to network security, with certain devices remaining unpatched due to their end-of-maintenance (EoM) status.

Vulnerabilities Summary

• Advisory ID: HPESBNW04722
• CVE IDs:
  • CVE-2024-42509
  • CVE-2024-47460
  • CVE-2024-47461
  • CVE-2024-47462
  • CVE-2024-47463
  • CVE-2024-47464
• Severity: Critical to Medium
• Affected Software Versions:
  • AOS-10.4.x.x: Versions up to 10.4.1.4
  • Instant AOS-8.12.x.x: Versions up to 8.12.0.2
  • Instant AOS-8.10.x.x: Versions up to 8.10.0.13
• Unaffected Products: HPE Aruba Mobility Conductor, Mobility Controllers, SD-WAN Gateways, and InstantOn Access Points

Detailed Breakdown of Vulnerabilities

1. CVE-2024-42509: Unauthenticated Command Injection via PAPI Protocol
   • Impact: Allows unauthenticated remote attackers to execute arbitrary commands as a privileged user via specially crafted packets sent to Aruba’s PAPI (UDP port 8211).
   • Severity: Critical (CVSS 9.8)
   • Mitigation: For Instant AOS-8, enabling cluster security via the cluster-security command can prevent exploitation. For AOS-10 devices, network administrators should block UDP/8211 from untrusted networks.
2. CVE-2024-47460: Command Injection via CLI Service through PAPI Protocol
   • Impact: Similar to CVE-2024-42509, this vulnerability allows command injection by sending packets to the PAPI protocol, leading to unauthorized command execution.
   • Severity: Critical (CVSS 9.0)
   • Mitigation: Enabling cluster security for Instant AOS-8 or restricting access to UDP/8211 for AOS-10.
3. CVE-2024-47461: Authenticated Remote Command Execution (RCE)
   • Impact: An authenticated attacker could execute commands with elevated privileges on affected devices, compromising the underlying OS.
   • Severity: High (CVSS 7.2)
   • Mitigation: Restrict CLI and web-based management to a dedicated VLAN and firewall policies to limit access.
4. CVE-2024-47462 and CVE-2024-47463: Authenticated Arbitrary File Creation Leading to RCE
   • Impact: Authenticated attackers can create arbitrary files, potentially leading to remote code execution.
   • Severity: High (CVSS 7.2)
   • Mitigation: Limit access to the CLI and web-based management interfaces as described for CVE-2024-47461.
5. CVE-2024-47464: Authenticated Path Traversal
   • Impact: Allows attackers with valid credentials to copy arbitrary files to a readable location, leading to potential unauthorized access to sensitive files.
   • Severity: Medium (CVSS 6.8)
   • Mitigation: Restrict access to management interfaces to secure segments and implement firewall policies.

Mitigations and Recommendations

HPE Aruba has released patches for the impacted AOS-8 and AOS-10 versions to mitigate these vulnerabilities. Users should upgrade to the latest available versions immediately to secure their systems:

• AOS-10.7.x.x: 10.7.0.0 and above
• AOS-10.4.x.x: 10.4.1.5 and above
• Instant AOS-8.12.x.x: 8.12.0.3 and above
• Instant AOS-8.10.x.x: 8.10.0.14 and above

Additional Recommendations:

• Enable Cluster Security: For AOS-8 devices, enabling cluster security via the cluster-security command can effectively mitigate certain command injection vulnerabilities.
• Restrict Access to Management Ports: For AOS-10 devices, block PAPI protocol (UDP port 8211) from untrusted networks to limit potential attack vectors.
• Network Segmentation: Segregate management interfaces on a dedicated VLAN and enforce strict access control policies using firewall rules.
• Regular Monitoring: Conduct regular vulnerability assessments and monitor system logs for unusual activity.

Devices Not Receiving Patches

Some affected software versions have reached their end-of-maintenance (EoM) status and will not receive updates. This includes versions AOS-10.3.x.x and below, as well as Instant AOS-8.11.x.x and older.

For these devices, HPE recommends isolating them from untrusted networks or replacing them with supported models.

Conclusion

The critical vulnerabilities in HPE Aruba Networking’s Instant AOS-8 and AOS-10 software call for urgent patching. By promptly applying these updates and enforcing network access controls, organizations can significantly reduce the risk of unauthorized command execution and data breaches. For legacy devices beyond maintenance, adopting network isolation and considering device upgrades are key steps toward minimizing potential exposure.

Sources:

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04722en_us&docLocale=en_US