www.belgium.be Logo of the federal government

WARNING: CRITICAL VULNERABILITIES IN HPE ARUBA ACCESS POINTS CAN BE EXPLOITED REMOTELY , PATCH IMMEDIATELY!

Reference: 
Advisory #2024-231
Version: 
1.0
Affected software: 
HPE Aruba Networking - Aruba Access Points running AOS-10.6.x.x: 10.6.0.2 and below
HPE Aruba Networking - Aruba Access Points running Instant AOS-10.4.x.x: 10.4.1.3 and below
HPE Aruba Networking - Aruba Access Points running Instant AOS-8.12.x.x: 8.12.0.1 and below
HPE Aruba Networking - Aruba Access Points running Instant AOS-8.10.x.x: 8.10.0.13 and below
HPE Aruba Networking - Aruba Access Points running AOS-10.5.x.x (all)
HPE Aruba Networking - Aruba Access Points running AOS-10.3.x.x (all)
HPE Aruba Networking - Aruba Access Points running Instant AOS-8.11.x.x (all)
HPE Aruba Networking - Aruba Access Points running Instant AOS-8.9.x.x (all)
HPE Aruba Networking - Aruba Access Points running Instant AOS-8.8.x.x (all)
HPE Aruba Networking - Aruba Access Points running Instant AOS-8.7.x.x (all)
HPE Aruba Networking - Aruba Access Points running Instant AOS-8.6.x.x (all)
HPE Aruba Networking - Aruba Access Points running Instant AOS-8.5.x.x (all)
HPE Aruba Networking - Aruba Access Points running Instant AOS-8.4.x.x (all)
HPE Aruba Networking - Aruba Access Points running Instant AOS-6.5.x.x (all)
HPE Aruba Networking - Aruba Access Points running Instant AOS-6.4.x.x (all)
Type: 
Command injection vulnerabilities
CVE/CVSS: 

CVE-2024-42505
CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-42506
CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2024-42507
CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Risks

Multiple critical vulnerabilities have been identified in HPE Aruba Networking Access Points running Instant AOS-8 and AOS-10. These vulnerabilities, if exploited, could allow remote attackers to execute arbitrary commands with privileged access. This could result in unauthorized control over the network, data theft, and disruption of services.

The vulnerabilities affect command-line interface (CLI) services accessed through Aruba’s PAPI protocol, exposing the devices to remote command injection attacks. The ease of exploitation and potential impact on the confidentiality, integrity, and availability of critical network services elevate this threat to a critical level. While there is currently no proof-of-concept code or known public exploitation, the risks to business operations remain severe, particularly for organizations relying on Aruba Access Points for daily network connectivity.

Immediate patching of the affected systems is highly recommended to mitigate these risks. Failure to address these vulnerabilities could lead to significant network disruptions, data breaches, and long-term damage to business continuity.

Description

CVE-2024-42505, CVE-2024-42506, CVE-2024-42507: Command Injection in CLI via PAPI Protocol (Critical) These vulnerabilities involve command injection within the CLI service used by HPE Aruba Access Points, particularly affecting devices running specific versions of Instant AOS-8 and AOS-10. Exploitation can occur through specially crafted packets sent to the PAPI UDP port (8211), allowing attackers to execute arbitrary commands with privileged rights on the underlying operating system.

Successful exploitation grants attackers full control over the device, enabling them to execute commands, modify configurations, and potentially disrupt network operations.

Earlier this year there were already other vulnerabilities in the PAPI protocol. You can find more details about them in our previous advisory.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

  • Upgrage your access point to one of the following versions:
    • AOS-10.7.x.x: 10.7.0.0 and above
    • AOS-10.6.x.x: 10.6.0.3 and above
    • AOS-10.4.x.x: 10.4.1.4 and above
    • Instant AOS-8.12.x.x: 8.12.0.2 and above
    • Instant AOS-8.10.x.x: 8.10.0.14 and above
  • Decommissioning EoSL Versions: If your devices are running software versions that have reached End of Support Life (EoSL), they are vulnerable and will not receive patches. Upgrade to supported software versions as soon as possible.

 

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via:https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References