Patch up – 4 critical bugs in ArubaOS lead to remote code execution

Network admins are being urged to patch a bundle of critical vulnerabilities in ArubaOS that lead to remote code execution as a privileged user.

HPE Aruba Networking disclosed ten vulnerabilities this week, four of which are rated "critical" with 9.8 severity ratings.

All four of the critical issues are classified as buffer overflow vulnerabilities, each affecting different underlying components of ArubaOS – the operating system that runs Aruba's wireless solutions.

The four critical vulnerabilities are: 

• CVE-2024-26305: Buffer overflow in ArubaOS' utility daemon

• CVE-2024-26304: Buffer overflow in ArubaOS' L2/L3 management service

• CVE-2024-33511: Buffer overflow in ArubaOS' automatic reporting service

• CVE-2024-33512: Buffer overflow in ArubaOS' local user authentication database

Proof of concept exploit code hasn't yet been released, but the security advisories say all four components are accessed via Aruba's process application programming interface (PAPI) UDP port (8211), and sending specially crafted packets can lead to arbitrary code execution.

Aruba Mobility Conductors, Mobility Controllers, and WLAN gateways and SD-WAN gateways managed by Aruba Central are affected by the vulnerabilities.

The list of versions that need upgrading are:

• ArubaOS 10.5.x.x: 10.5.1.0 and below

• ArubaOS 10.4.x.x: 10.4.1.0 and below

• ArubaOS 8.11.x.x: 8.11.2.1 and below

• ArubaOS 8.10.x.x: 8.10.0.10 and below

There is also a list of software versions that no longer receive technical support but are vulnerable to the security issues:

• ArubaOS 10.3.x.x

• ArubaOS 8.9.x.x

• ArubaOS 8.8.x.x

• ArubaOS 8.7.x.x

• ArubaOS 8.6.x.x

• ArubaOS 6.5.4.x

• SD-WAN 8.7.0.0-2.3.0.x

• SD-WAN 8.6.0.4-2.2.x.x

The four critical vulnerabilities only affect ArubaOS 8.x and a temporary workaround is available while admins make the time to apply all the patches. According to the advisory, enabling the PAPI Security feature using a non-default key will prevent any exploits. 

• HPE bakes LLMs into Aruba as AI inches closer to network takeover
• Official: Hewlett Packard Enterprise wants to swallow Juniper Networks in $14B deal
• AWS customer faces staggering charges over S3 bucket misfire
• Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes

As for the other six vulnerabilities, these are all graded as medium severity and were reported via the vendor's bug bounty program.

CVE-2024-33513, CVE-2024-33514, and CVE-2024-33515 are all unauthenticated denial of service (DoS) flaws in ArubaOS' AP management service and each have a 5.9 severity score.

CVE-2024-33516 is another unauthenticated DoS bug, but this one instead impacts the auth service, carrying a 5.3 severity score. The researcher credited with the finding, along with the three other DoS bugs, was named as Chancen.

Chancen also reported a fifth unauthenticated DoS vulnerability in CVE-2024-33517. This again carries a 5.3 severity rating and affects the radio frequency manager service.

A researcher named XiaoC from Moonlight Bug Hunter was credited with the final medium severity (5.3) bug – an unauthenticated buffer overflow that leads to DoS in the radio frequency daemon.

Like the four critical bugs, the six medium-severity vulnerabilities can also be mitigated by enabling the PAPI Security feature, but it's always best to apply the patches as soon as possible. ®