Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

HPE patches three critical security holes in Aruba PAPI

More 9.8 bugs? Ay, papi!

Iain Thomson Thu 26 Sep 2024  //  19:30 UTC

Aruba access points running AOS-8 and AOS-10 need to be patched urgently after HPE emitted fixes for three critical flaws in its networking subsidiary's networking access points.

The issues would allow an unauthenticated attacker to run code on Aruba's systems by sending carefully crafted packets to UDP port 8211, the operating system's Proprietary Access Protocol Interface (PAPI), which would provide that miscreant privileged access to the equipment.

The three vulnerabilities - CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507 - are all rated 9.8 out of 10 on the CVSS severity scale.

The flaws affect versions of AOS 10.6.x.x (up to and including 10.6.0.2), as well as Instant AOS 8.12.x.x (8.12.0.1 and earlier versions). HPE is also warning that end-of-life code, including AOS 10.5 and 10.3, and Instant AOS-8.11 - as well as earlier incarnations - and the advice is to upgrade these systems to get protection.

"Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in devices running Instant AOS-8.x code," HPE advised in its security alert. "For AOS-10 devices this is not an option and instead access to UDP port 8211 must be blocked from all untrusted networks."

It's not the first time PAPI has been shown to have serious problems this year. Back in May, four critical flaws in the system were fixed by Aruba after proof of concept exploit code was released, and then issued more patches less than a week later.

These patches will be of particular concern to sysadmins within the US military. Back in 2020, Aruba scored a major win by becoming the preferred supplier to the Pentagon after the military fell out with Cisco and started replacing its kit.

HPE credited the flaws' discovery to Erik de Jong, a part-time flaw finder whose day job is as a security officer for the Netherlands telco DELTA Fiber. The vulnerabilities were submitted via Bugcrowd, and he has credited his hobby to paying a chunk off his mortgage.

At the time of publication, HPE said that it had seen no evidence that the issues are being exploited in the wild. However, now that patches are out, and given their seriousness, that's likely to change. ®
Send us news
1 Comment

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

US reportedly mulls TP-Link router ban over national security risk

It could end up like Huawei -Trump's gonna get ya, get ya, get ya

BlackBerry offloads Cylance's endpoint security products to Arctic Wolf

Fresh attempt to mix the perfect cocktail of IoT and Infosec

Blocking Chinese spies from intercepting calls? There ought to be a law

Sen. Wyden blasts FCC's 'failure' amid Salt Typhoon hacks

Citrix goes shopping in Europe and returns with gifts for security-conscious customers

Acquires two companies that help those on the nice list keep naughty list types at bay

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

Microsoft won't let customers opt out of passkey push

Enrollment invitations will continue until security improves

Australia moves to drop some cryptography by 2030 – before quantum carves it up

The likes of SHA-256, RSA, ECDSA and ECDH won't be welcome in just five years

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

Open source maintainers are drowning in junk bug reports written by AI

Python security developer-in-residence decries use of bots that 'cannot understand code'

Boffins trick AI model into giving up its secrets

All it took to make an Google Edge TPU give up model hyperparameters was specific hardware, a novel attack technique … and several days

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?