HPE Aruba Networking (formerly Aruba Networks) has introduced security updates to tackle critical flaws impacting ArubaOS that could final result in distant code execution (RCE) on impacted methods.
Of the 10 security flaws, 4 are rated critical in severity –
- CVE-2024-26304 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Services Accessed by way of the PAPI Protocol
- CVE-2024-26305 (CVSS rating: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed by way of the PAPI Protocol
- CVE-2024-33511 (CVSS rating: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Automated Reporting Provider Accessed via the PAPI Protocol
- CVE-2024-33512 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Neighborhood Person Authentication Databases Accessed through the PAPI Protocol
A risk actor could exploit the aforementioned buffer overflow bugs by sending specifically crafted packets destined to the Method Application Programming Interface (PAPI) UDP port (8211), therefore attaining the potential to execute arbitrary code as a privileged user on the underlying running procedure.
The vulnerabilities, which effect Mobility Conductor (previously Mobility Grasp), Mobility Controllers, and WLAN Gateways and SD-WAN Gateways managed by Aruba Central, are present in the following application versions –
- ArubaOS 10.5.1. and beneath
- ArubaOS 10.4.1. and down below
- ArubaOS 8.11.2.1 and beneath, and
- ArubaOS 8.10..10 and beneath
They also affect the ArubaOS and SD-WAN software program versions that have arrived at end of upkeep status –
- ArubaOS 10.3.x.x
- ArubaOS 8.9.x.x
- ArubaOS 8.8.x.x
- ArubaOS 8.7.x.x
- ArubaOS 8.6.x.x
- ArubaOS 6.5.4.x
- SD-WAN 8.7..-2.3..x, and
- SD-WAN 8.6..4-2.2.x.x
A security researcher named Chancen has been credited with identifying and reporting seven of the 10 issues, like the 4 critical buffer overflow vulnerabilities.
End users are encouraged to apply the most up-to-date fixes to mitigate probable threats. As short-term workarounds for ArubaOS 8.x, the corporation is recommending that customers allow the Enhanced PAPI Security element using a non-default key.
Discovered this post attention-grabbing? Observe us on Twitter and LinkedIn to read through extra exceptional content we publish.
Some parts of this article are sourced from:
thehackernews.com