Hewlett Packard Enterprise (HPE) has issued critical security patches to address several vulnerabilities affecting its Aruba Networking Access Point products. These vulnerabilities (CVE-2024-42509 and CVE-2024-47460), including two particularly severe flaws, could allow unauthenticated attackers to execute arbitrary commands remotely, potentially compromising the security of affected systems.
The flaws impact both Instant AOS-8 and AOS-10 software running on various models of Aruba access points, prompting immediate attention from administrators and network security teams.
HPE Security Patches for CVE-2024-42509 and CVE-2024-47460
The security vulnerabilities identified in the Aruba access points could have serious consequences if exploited by malicious actors. HPE released patches to address six vulnerabilities in total, two of which are classified as critical due to their potential for remote code execution (RCE). These vulnerabilities affect several versions of Aruba’s operating systems, Instant AOS-8 and AOS-10.
The most critical of these vulnerabilities are identified as CVE-2024-42509 and CVE-2024-47460, both of which are command injection flaws in the Command Line Interface (CLI) service. These flaws allow attackers to send specially crafted packets to the PAPI (Aruba’s Access Point Management Protocol) UDP port 8211, potentially enabling unauthenticated remote code execution.
- CVE-2024-42509: This vulnerability has been assigned a high severity score of 9.8 out of 10. Successful exploitation could allow an attacker to execute arbitrary code as a privileged user on the affected system’s underlying operating system.
- CVE-2024-47460: This issue carries a slightly lower severity score of 9.0 but still represents a significant risk. It also enables attackers to execute arbitrary commands remotely, with similar consequences to CVE-2024-42509.
Both vulnerabilities are critical because they allow unauthenticated attackers to gain control over the access point, potentially compromising the entire network.
Affected Versions and Products
The vulnerabilities impact a range of Aruba access point models running specific versions of Instant AOS-8 and AOS-10. The affected versions are as follows:
- Instant AOS-10.4.x.x: Versions 10.4.1.4 and earlier
- Instant AOS-8.12.x.x: Versions 8.12.0.2 and earlier
- Instant AOS-8.10.x.x: Versions 8.10.0.13 and earlier
HPE’s advisory notes that these vulnerabilities do not affect products that have reached the End of Maintenance (EoM) status. Therefore, access points running AOS-10.6.x.x, AOS-10.5.x.x, and several earlier versions are not addressed by the current patch release.
Importantly, Aruba’s Mobility Conductor, Mobility Controllers, and SD-WAN Gateways are not affected by these vulnerabilities, nor are Aruba InstantOn Access Points.
Security Patches and Mitigation Recommendations
HPE has released critical security patches to mitigate the risks associated with these vulnerabilities. To address the specific flaws in Instant AOS-8 and AOS-10, users should update their systems to the following patched versions:
- AOS-10.7.x.x: Version 10.7.0.0 and above
- AOS-10.4.x.x: Version 10.4.1.5 and above
- Instant AOS-8.12.x.x: Version 8.12.0.3 and above
- Instant AOS-8.10.x.x: Version 8.10.0.14 and above
These updated software versions contain critical security patches that resolve the vulnerabilities discussed in the advisory. Network administrators are strongly encouraged to apply these patches promptly to ensure the continued security and integrity of their Aruba access point infrastructure.
For devices running Instant AOS-8, HPE recommends enabling cluster security using the cluster-security command. This can help prevent exploitation of CVE-2024-42509 and CVE-2024-47460. However, for AOS-10 devices, the company advises blocking access to UDP port 8211 from untrusted networks, as the cluster security feature is not available for this version.
Additional Security Considerations
While the critical security patches for these vulnerabilities are essential, HPE also provides additional security advice to further safeguard Aruba access points. For example, to mitigate risks related to other vulnerabilities, including authenticated remote command execution and arbitrary file creation, administrators should restrict access to the CLI and web-based management interfaces. It’s recommended to segregate these interfaces on a dedicated VLAN or control them through firewall policies to reduce the attack surface.
Several other vulnerabilities were also discovered, including:
- CVE-2024-47461: An authenticated remote code execution flaw with a severity of 7.2 (high) that can be exploited by attackers with privileged access to the system.
- CVE-2024-47462, CVE-2024-47463: Arbitrary file creation vulnerabilities that could lead to remote command execution.
- CVE-2024-47464: A path traversal vulnerability that could give attackers unauthorized access to files.
These vulnerabilities emphasize the need for a comprehensive approach to network security, beyond just patching critical bugs. By implementing robust access controls and ensuring that all management interfaces are properly secured, organizations can reduce the likelihood of successful exploitation.
The Importance of Timely Patching
The release of these HPE security patches highlights the ongoing need for organizations to maintain a proactive approach to cybersecurity. Timely application of patches for critical vulnerabilities, such as the ones impacting Aruba access points, is essential for protecting network infrastructure from potential exploitation.
Security experts recommend that organizations establish a routine patch management process, ensuring that security updates—like those for the Aruba access point vulnerabilities—are deployed as soon as they become available. This helps minimize the window of opportunity for attackers and reduces the risk of compromise.