Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

HPE Patches Critical Vulnerabilities in Aruba Access Points

HPE this week warned of two critical vulnerabilities in Aruba Networking access points that could lead to unauthenticated command injection.

HPE this week announced patches for multiple vulnerabilities in its Aruba Networking access points, including two critical-severity command injection bugs.

The critical security defects, tracked as CVE-2024-42509 (CVSS score of 9.8) and CVE-2024-47460 (CVSS score of 9.0), impact Aruba’s access point management protocol’s underlying CLI service.

A remote, unauthenticated attacker can exploit the flaws by sending crafted packets to the protocol’s UDP port (8211), which could lead to arbitrary code execution as a privileged user on the underlying operating system.

The issues, HPE says, affect Access Points running the Instant AOS-8 and AOS-10 software versions, including Instant AOS-6.x and Instant AOS-8.x iterations and AOS- 10.x versions that reached end-of-life (EoL) status.

“Enabling cluster security via the cluster-security command will prevent this vulnerability from being exploited in devices running Instant AOS-8 code. For AOS-10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks,” HPE notes in its advisory.

This week, the company also warned of three high-severity remote code execution (RCE) vulnerabilities affecting the Instant AOS-8 and AOS-10 command line interface, tracked as CVE-2024-47461, CVE-2024-47462, and CVE-2024-47463.

CVE-2024-47461 could allow an authenticated attacker to execute arbitrary commands as a privileged user and fully compromise the underlying host operating system.

CVE-2024-47462 and CVE-2024-47463 “could allow an authenticated remote attacker to create arbitrary files, which could lead to a remote command execution (RCE) on the underlying operating system,” HPE explains.

Advertisement. Scroll to continue reading.

Restricting the CLI and web-based management interfaces to a dedicated layer 2 segment/VLAN and/or controlling them through firewall policies should mitigate the likelihood of these vulnerabilities being exploited, HPE says.

Instant AOS-8 and AOS-10, HPE warned, are also affected by a high-severity authenticated path traversal bug that could allow an attacker to copy arbitrary files and read their contents.

Patches for all six vulnerabilities were included in AOS-10.7.0.0 and AOS-10.4.1.5 and in Instant AOS-8.12.0.3 and Instant AOS-8.10.0.14.

HPE says all bugs were reported through Aruba Networking’s bug bounty program and makes no mention of any of them being exploited in the wild.

Related: Atlassian Patches Vulnerabilities in Bitbucket, Confluence, Jira

Related: Palo Alto Networks, Aruba Patch Severe Vulnerabilities

Related: HPE Patches Two Critical, Remotely Exploitable Vulnerabilities

Related: HPE Acquires Identity Management Firm Scytale

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.