www.belgium.be Logo of the federal government

Warning: Several Critical Vulnerabilities In ArubaOS, Patch Immediately!

Reference: 
Advisory #2024-63
Version: 
1.0
Affected software: 
HPE Aruba Mobility Conductor (formerly Mobility Master)
HPE Aruba Mobility Controllers
HPE Aruba WLAN Gateways and SD-WAN Gateways managed by Aruba Central
ArubaOS 10.5.1.0 and below
ArubaOS 10.4.1.0 and below
ArubaOS 8.11.2.1 and below
ArubaOS 8.10.0.10 and below
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 
  • CVE-2024-26304 – 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2024-26305 – 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2024-33511 – 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2024-33512 – 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • CVE-2024-33513 – 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • CVE-2024-33514 – 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • CVE-2024-33515 – 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • CVE-2024-33516 – 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
  • CVE-2024-33517 – 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
  • CVE-2024-33518 – 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Date: 
02/05/2024

Sources

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt

Risks

HPE Aruba Networking has released a security advisory detailing multiple critical vulnerabilities in ArubaOS, affecting several products including WLAN Gateways and SD-WAN Gateways managed by Aruba Central, Mobility Conductor and Mobility Controller. 

Some of these vulnerabilities could allow unauthenticated remote attackers to execute arbitrary code or cause denial-of-service (DoS) attacks. If exploited successfully, they grant a remote attacker full control over the compromised system, paving the way for data breaches, service interruptions, or even unauthorized network access. Currently, there's no indication of any publicly available proof-of-concept or evidence of exploitation. Nevertheless, it's crucial to recognize that this vulnerability poses a substantial threat to the confidentiality, integrity, and availability of the system.

Furthermore, network devices have attracted the attention of threat actors due to their strategic position within infrastructures. Historical trends reveal that similar vulnerabilities in network devices have been exploited by Advanced Persistent Threats (APTs) and ransomware gangs to execute devastating attacks. Therefore, it's imperative for organizations to remain vigilant and promptly address any vulnerabilities in their devices to mitigate the risk of exploitation by cyber adversaries.

Description

CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, and CVE-2024-33512

These are the highest rated vulnerabilities (9.8), and they are all buffer overflow vulnerabilities in underlying services. All of these could lead to unauthenticated remote code execution if a threat actor sends specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516 and CVE-2024-33517

These are Denial-of-Service (DoS) vulnerabilities that exist in several services accessed via the PAPI protocol. Successful exploitation of these vulnerabilities results in the ability to interrupt the normal operation of the affected service.

CVE-2024-33518

This is an unauthenticated Denial of Service (DoS) vulnerability that exists in the Radio Frequency daemon via the PAPI protocol provided by ArubaOS. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the controller.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

According to the security advisory by HPE Aruba Networking, software versions with fixes, can be downloaded from the HPE Networking Support Portal. (https://networkingsupport.hpe.com/home/). Some vulnerabilities also have specific workarounds that can be found in the advisory but do mind that these workarounds don’t always apply to all versions.

In case you have a device that has reached End-of-Maintenance, no patches are available, and we recommend replacing the device.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-26305

https://nvd.nist.gov/vuln/detail/CVE-2024-26304

https://nvd.nist.gov/vuln/detail/CVE-2024-33511

https://nvd.nist.gov/vuln/detail/CVE-2024-33512