Cybersecurity

Aruba Networks fixes six critical vulnerabilities in ArubaOS

Aruba

Aruba Networks published a security advisory to inform customers about six critical-severity vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.

The flaws impact Aruba Mobility Conductor, Aruba Mobility Controllers, and Aruba-managed WLAN Gateways and SD-WAN Gateways.

Aruba Networks is a California-based subsidiary of Hewlett Packard Enterprise, specializing in computer networking and wireless connectivity solutions.

The critical flaws addressed by Aruba this time can be separated into two categories: command injection flaws and stack-based buffer overflow problems in the PAPI protocol (Aruba Networks access point management protocol).

All flaws were discovered by security analyst Erik de Jong, who reported them to the vendor via the official bug bounty program.

The command injection vulnerabilities are tracked as CVE-2023-22747CVE-2023-22748CVE-2023-22749, and CVE-2023-22750, with a CVSS v3 rating of 9.8 out of 10.0.

An unauthenticated, remote attacker can leverage them by sending specially crafted packets to the PAPI over UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS.

The stack-based buffer overflow bugs are tracked as CVE-2023-22751 and CVE-2023-22752, and also have a CVSS v3 rating of 9.8.

These flaws are exploitable by sending specially crafted packets to the PAPI over UDP port 8211, allowing unauthenticated, remote attackers to run arbitrary code as privileged users on ArubaOS.

The impacted versions are:

  • ArubaOS 8.6.0.19 and below
  • ArubaOS 8.10.0.4 and below
  • ArubaOS 10.3.1.0 and below
  • SD-WAN 8.7.0.0-2.3.0.8 and below

The target upgrade versions, according to Aruba, should be:

  • ArubaOS 8.10.0.5 and above
  • ArubaOS 8.11.0.0 and above
  • ArubaOS 10.3.1.1 and above
  • SD-WAN 8.7.0.0-2.3.0.9 and above

Unfortunately, several product versions that have reached End of Life (EoL) are also affected by these vulnerabilities and will not receive a fixing update. These are:

  • ArubaOS 6.5.4.x
  • ArubaOS 8.7.x.x
  • ArubaOS 8.8.x.x
  • ArubaOS 8.9.x.x
  • SD-WAN 8.6.0.4-2.2.x.x

A workaround for system administrators who cannot apply the security updates or are using EoL devices is to enable the “Enhanced PAPI Security” mode using a non-default key. 

However, applying the mitigations does not address another 15 high-severity and eight medium-severity vulnerabilities listed in Aruba’s security advisory, which are fixed by the new versions.

Aruba states that it is unaware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory, February 28, 2022.

Comments

  • BUYERSDOMAIN Photo BUYERSDOMAIN – 3 days ago
    •  
    •  

    It's great to hear that Aruba Networks has taken steps to fix six critical vulnerabilities in ArubaOS. Cybersecurity is a critical concern in today's digital world, and any vulnerabilities in networking equipment can potentially be exploited by malicious actors to gain unauthorized access or cause harm.

  • NoneRain Photo NoneRain – 2 days ago
    •  
    •  

    "I'm not a bot btw"

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.23 4M+ Downloads

  • AdwCleaner Logo

    AdwCleaner

    Version: 8.4.0.0 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 1.4.1.1017 22,318 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 1.8.2.320 53,058 Downloads

Source bleepingcomputer.com

Related posts

Android TV box on Amazon came pre-installed with malware

Sarah Henriquez

New DDoS-as-a-Service platform used in recent attacks on hospitals

Sarah Henriquez

UK creates fake DDoS-for-hire sites to identify cybercriminals

Sarah Henriquez

Leave a Comment