Trending

ee-track">
Vulnerabilities

HPE Aruba Access Points have Critical Command Injection Vulnerabilities

Overview

Hewlett Packard Enterprise (HPE) Aruba Networking has identified multiple critical security vulnerabilities affecting its Access Points running Instant AOS-8 and AOS-10.

The vulnerabilities, tracked under several CVEs including CVE-2024-42509 and CVE-2024-47460, could allow unauthenticated attackers to remotely execute commands on the device, potentially compromising the underlying operating system. HPE has issued patches to address these issues, and users are urged to upgrade as soon as possible.

These vulnerabilities impact widely deployed HPE Aruba Access Points and pose significant risks to network security, with certain devices remaining unpatched due to their end-of-maintenance (EoM) status.

Vulnerabilities Summary

  • Advisory ID: HPESBNW04722
  • CVE IDs:
    • CVE-2024-42509
    • CVE-2024-47460
    • CVE-2024-47461
    • CVE-2024-47462
    • CVE-2024-47463
    • CVE-2024-47464
  • Severity: Critical to Medium
  • Affected Software Versions:
    • AOS-10.4.x.x: Versions up to 10.4.1.4
    • Instant AOS-8.12.x.x: Versions up to 8.12.0.2
    • Instant AOS-8.10.x.x: Versions up to 8.10.0.13
  • Unaffected Products: HPE Aruba Mobility Conductor, Mobility Controllers, SD-WAN Gateways, and InstantOn Access Points

Detailed Breakdown of Vulnerabilities

  1. CVE-2024-42509: Unauthenticated Command Injection via PAPI Protocol
    • Impact: Allows unauthenticated remote attackers to execute arbitrary commands as a privileged user via specially crafted packets sent to Aruba’s PAPI (UDP port 8211).
    • Severity: Critical (CVSS 9.8)
    • Mitigation: For Instant AOS-8, enabling cluster security via the cluster-security command can prevent exploitation. For AOS-10 devices, network administrators should block UDP/8211 from untrusted networks.
  2. CVE-2024-47460: Command Injection via CLI Service through PAPI Protocol
    • Impact: Similar to CVE-2024-42509, this vulnerability allows command injection by sending packets to the PAPI protocol, leading to unauthorized command execution.
    • Severity: Critical (CVSS 9.0)
    • Mitigation: Enabling cluster security for Instant AOS-8 or restricting access to UDP/8211 for AOS-10.
  3. CVE-2024-47461: Authenticated Remote Command Execution (RCE)
    • Impact: An authenticated attacker could execute commands with elevated privileges on affected devices, compromising the underlying OS.
    • Severity: High (CVSS 7.2)
    • Mitigation: Restrict CLI and web-based management to a dedicated VLAN and firewall policies to limit access.
  4. CVE-2024-47462 and CVE-2024-47463: Authenticated Arbitrary File Creation Leading to RCE
    • Impact: Authenticated attackers can create arbitrary files, potentially leading to remote code execution.
    • Severity: High (CVSS 7.2)
    • Mitigation: Limit access to the CLI and web-based management interfaces as described for CVE-2024-47461.
  5. CVE-2024-47464: Authenticated Path Traversal
    • Impact: Allows attackers with valid credentials to copy arbitrary files to a readable location, leading to potential unauthorized access to sensitive files.
    • Severity: Medium (CVSS 6.8)
    • Mitigation: Restrict access to management interfaces to secure segments and implement firewall policies.

Mitigations and Recommendations

HPE Aruba has released patches for the impacted AOS-8 and AOS-10 versions to mitigate these vulnerabilities. Users should upgrade to the latest available versions immediately to secure their systems:

  • AOS-10.7.x.x: 10.7.0.0 and above
  • AOS-10.4.x.x: 10.4.1.5 and above
  • Instant AOS-8.12.x.x: 8.12.0.3 and above
  • Instant AOS-8.10.x.x: 8.10.0.14 and above

Additional Recommendations:

  • Enable Cluster Security: For AOS-8 devices, enabling cluster security via the cluster-security command can effectively mitigate certain command injection vulnerabilities.
  • Restrict Access to Management Ports: For AOS-10 devices, block PAPI protocol (UDP port 8211) from untrusted networks to limit potential attack vectors.
  • Network Segmentation: Segregate management interfaces on a dedicated VLAN and enforce strict access control policies using firewall rules.
  • Regular Monitoring: Conduct regular vulnerability assessments and monitor system logs for unusual activity.

Devices Not Receiving Patches

Some affected software versions have reached their end-of-maintenance (EoM) status and will not receive updates. This includes versions AOS-10.3.x.x and below, as well as Instant AOS-8.11.x.x and older.

For these devices, HPE recommends isolating them from untrusted networks or replacing them with supported models.

report-ad-banner

Conclusion

The critical vulnerabilities in HPE Aruba Networking’s Instant AOS-8 and AOS-10 software call for urgent patching. By promptly applying these updates and enforcing network access controls, organizations can significantly reduce the risk of unauthorized command execution and data breaches. For legacy devices beyond maintenance, adopting network isolation and considering device upgrades are key steps toward minimizing potential exposure.

Sources:

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04722en_us&docLocale=en_US

Scroll to Top

Book your session

Request a Personalized Demo

See how Cyble's threat intelligence protects your organization. A specialist will reach out within one business day.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams

Download the brochure

Get the Cyble Vision Brochure

Explore how Cyble Vision delivers AI-powered threat intelligence across your attack surface. Fill in your details to access the brochure.

Select one or more options

Cyble protects your personal data to manage your account and deliver requested content. Submit your details to receive updates. Withdraw consent anytime. See our privacy policy for details.

Your information is encrypted and never shared.
SOC 2 Type II GDPR compliant Trusted by 1,000+ teams