HPE this week announced patches for multiple vulnerabilities in its Aruba Networking access points, including two critical-severity command injection bugs.
The critical security defects, tracked as CVE-2024-42509 (CVSS score of 9.8) and CVE-2024-47460 (CVSS score of 9.0), impact Aruba’s access point management protocol’s underlying CLI service.
A remote, unauthenticated attacker can exploit the flaws by sending crafted packets to the protocol’s UDP port (8211), which could lead to arbitrary code execution as a privileged user on the underlying operating system.
The issues, HPE says, affect Access Points running the Instant AOS-8 and AOS-10 software versions, including Instant AOS-6.x and Instant AOS-8.x iterations and AOS- 10.x versions that reached end-of-life (EoL) status.
“Enabling cluster security via the cluster-security command will prevent this vulnerability from being exploited in devices running Instant AOS-8 code. For AOS-10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks,” HPE notes in its advisory.
This week, the company also warned of three high-severity remote code execution (RCE) vulnerabilities affecting the Instant AOS-8 and AOS-10 command line interface, tracked as CVE-2024-47461, CVE-2024-47462, and CVE-2024-47463.
CVE-2024-47461 could allow an authenticated attacker to execute arbitrary commands as a privileged user and fully compromise the underlying host operating system.
CVE-2024-47462 and CVE-2024-47463 “could allow an authenticated remote attacker to create arbitrary files, which could lead to a remote command execution (RCE) on the underlying operating system,” HPE explains.
Restricting the CLI and web-based management interfaces to a dedicated layer 2 segment/VLAN and/or controlling them through firewall policies should mitigate the likelihood of these vulnerabilities being exploited, HPE says.
Instant AOS-8 and AOS-10, HPE warned, are also affected by a high-severity authenticated path traversal bug that could allow an attacker to copy arbitrary files and read their contents.
Patches for all six vulnerabilities were included in AOS-10.7.0.0 and AOS-10.4.1.5 and in Instant AOS-8.12.0.3 and Instant AOS-8.10.0.14.
HPE says all bugs were reported through Aruba Networking’s bug bounty program and makes no mention of any of them being exploited in the wild.
Related: Atlassian Patches Vulnerabilities in Bitbucket, Confluence, Jira
Related: Palo Alto Networks, Aruba Patch Severe Vulnerabilities
Related: HPE Patches Two Critical, Remotely Exploitable Vulnerabilities