Overview
JoCERT has issued an alert regarding critical command injection vulnerabilities discovered in HPE Aruba’s 501 Wireless Client Bridge. The vulnerabilities, tracked as CVE-2024-54006 and CVE-2024-54007, allow authenticated attackers with administrative privileges to execute arbitrary commands on the device’s underlying operating system.
These flaws have been rated as high severity (CVSS score: 7.2) and pose a significant risk if left unaddressed.
A publicly released proof-of-concept (PoC) exploit further amplifies the urgency for organizations using affected devices to take immediate action.
Vulnerabilities Overview
HPE Aruba Networking has confirmed the existence of multiple command injection vulnerabilities in the web interface of the 501 Wireless Client Bridge. Below is a detailed breakdown of these vulnerabilities:
- CVE-2024-54006: Exploitation enables attackers to execute arbitrary commands as privileged users.
- CVE-2024-54007: Similarly, this flaw allows attackers to run commands remotely with administrative credentials.
Both vulnerabilities:
- Require administrative authentication credentials to exploit.
- Allow attackers to gain full control over the device upon successful exploitation.
- Impact the confidentiality, integrity, and availability of the device.
Affected Software Versions
The vulnerabilities affect the following software versions:
- HPE Aruba 501 Wireless Client Bridge: Versions V2.1.1.0-B0030 and below.
Devices running software versions higher than V2.1.2.0-B0033 are not impacted. Any other HPE Aruba Networking products not explicitly mentioned remain unaffected.
Severity and Exploitability
- Severity: High (CVSS score: 7.2)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Exploitability: Exploitation requires authenticated administrative credentials. However, once exploited, attackers gain full control of the device, potentially enabling malicious activities such as data exfiltration, lateral movement, and network disruption.
- Public Discussion: A proof-of-concept exploit script has been released publicly, making these vulnerabilities more accessible to attackers.
Mitigation and Recommendations
To safeguard against these vulnerabilities, organizations should follow these steps:
- Upgrade to a Fixed Version:
- Update affected devices to software version V2.1.2.0-B0033 or later. The fixed software can be downloaded from the HPE Networking Support Portal.
- Restrict Management Interfaces:
- Limit access to the Command Line Interface (CLI) and web-based management interfaces to a dedicated Layer 2 VLAN or secure them with Layer 3 firewall policies.
- Audit Network Devices:
- Conduct a thorough security audit of all Aruba devices within your network to identify any unauthorized access or misconfigurations.
- Strengthen Authentication Mechanisms:
- Enforce strong administrative passwords.
- Regularly rotate administrative credentials to minimize the risk of unauthorized access.
- Monitor for Suspicious Activity:
- Implement robust monitoring to detect any unusual or unauthorized access attempts to the 501 Wireless Client Bridge.
- Stay Informed:
- Subscribe to HPE’s Security Bulletin alerts to receive updates about future vulnerabilities and patches.
Technical Details of the Vulnerabilities
CVE-2024-54006
- Description: Multiple command injection vulnerabilities exist in the web interface of the 501 Wireless Client Bridge, allowing attackers to execute arbitrary commands as a privileged user. Exploitation requires administrative authentication credentials.
- CVSS Base Score: 7.2
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2024-54007
- Description: Similar to CVE-2024-54006, this vulnerability allows authenticated attackers to execute commands on the device’s underlying operating system via the web interface.
- CVSS Base Score: 7.2
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Both vulnerabilities were discovered and reported by Nicholas Starke of HPE Aruba Networking SIRT and Hosein Vita.
Workarounds
For organizations unable to immediately update to the fixed version, the following workarounds are recommended:
- Restrict Network Access: Isolate the device management interfaces to a secure VLAN or subnet.
- Firewall Rules: Configure Layer 3 and above firewall policies to limit access to the management interfaces.
- Monitoring and Logging: Enable detailed logging to monitor for unusual administrative activities.
These workarounds are temporary and should not replace patching, which is the most effective mitigation strategy.
Final Notes
These command injection vulnerabilities in HPE Aruba’s 501 Wireless Client Bridge underline the importance of proactive cybersecurity practices. With the rise of publicly disclosed exploits, organizations must act quickly to mitigate risks by updating vulnerable devices, monitoring for threats, and enforcing strict access controls.
Failure to address these vulnerabilities could result in compromised devices, data breaches, and disrupted operations. Take immediate action to protect your network and maintain the integrity of your systems.
Source: https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/87
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04763en_us&docLocale
