Critical RCE Vulnerabilites affecting Aruba Access Points
Background
The parent company of Aruba Networks, Hewlett Packard Enterprise (HPE), issued a security bulletin on September 24, 2024, addressing three critical command injection vulnerabilities impacting Aruba Networking Access Points. CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507 are vulnerabilities that potentially allow remote, unauthorized attackers to run code with privileged access. Sending specifically crafted packets to the UDP port (8211) of the PAPI (Aruba’s Access Point management protocol) may allow for exploitation and could result in Remote Code Execution (RCE).
These vulnerabilities must be patched immediately to stop attackers from gaining unauthorized access and interfering with network operations.
We have not found any publicly accessible proof of concept (PoC) exploit code, nor has it detected any exploitation of these vulnerabilities in the field. Despite the lack of reports of Aruba Network access points being exploited in the open, threat actors are drawn to them because of the possible access these vulnerabilities could grant them through privileged user RCE. In the near future, threat actors might also try to reverse-engineer the patches in order to take advantage of unpatched systems.
Recommendations:
Customers are strongly encouraged to update to the most recent patched version.
Product | Affected Version | Fixed Version |
Aruba Access Points |
|
|
|
|
Please adhere to the patching and testing procedures set forth by the organization to reduce any possible operational effects.
Users that are unable to apply the patch can use the following workarounds provided by HPE:
- Regarding hardware running Instant AOS-8.x: These vulnerabilities can be avoided by using the cluster-security command to enable cluster-security.
- For devices running AOS-10: To avoid exploitation, block access to UDP port 8211 from any untrusted network since cluster security is not accessible.