ArubaOS: 4 Critical Flaws Allow Full System Takeover

Recently, Aruba Networks, a subsidiary of Hewlett Packard Enterprise (HPE), disclosed information about ten vulnerabilities in its ArubaOS operating system, four of which are classified as critical. These vulnerabilities could potentially allow arbitrary code execution with user privileges.

CVE-2024-26304

All critical vulnerabilities are rated at 9.8 on the CVSS scale and are related to buffer overflow, affecting various system components. Specifically:

  • CVE-2024-26305 affects a service daemon in ArubaOS;
  • CVE-2024-26304 impacts the L2/L3 management service in ArubaOS;
  • CVE-2024-33511 pertains to the automatic reporting service in ArubaOS;
  • CVE-2024-33512 involves the database for authenticating local users in ArubaOS.

Although no PoC exploit code has been released yet, security recommendations suggest that access to all four components is available through UDP port 8211 of the Aruba Application Programming Interface (PAPI). Sending specially crafted packets could lead to arbitrary code execution.

Devices affected include Aruba Mobility Conductors, Mobility Controllers, as well as WLAN and SD-WAN gateways managed through Aruba Central.

The list of software versions requiring updates is as follows: ArubaOS 10.5.x.x: 10.5.1.0 and below; ArubaOS 10.4.x.x: 10.4.1.0 and below; ArubaOS 8.11.x.x: 8.11.2.1 and below; ArubaOS 8.10.x.x: 8.10.0.10 and below.

Additionally, a list of software versions vulnerable to the aforementioned security issues, but no longer receiving technical support, includes: ArubaOS 10.3.x.x; ArubaOS 8.9.x.x; ArubaOS 8.8.x.x; ArubaOS 8.7.x.x; ArubaOS 8.6.x.x; ArubaOS 6.5.4.x; SD-WAN 8.7.0.0-2.3.0.x; SD-WAN 8.6.0.4-2.2.x.x.

Furthermore, the company has reported six vulnerabilities of moderate severity related to denial of service (DoS), all with CVSS criticality scores ranging from 5.3 to 5.9, identified as CVE-2024-33513 through CVE-2024-33518.

As a temporary mitigation, it is possible to enable PAPI security features using a non-standard key. However, network administrators are strongly advised to apply all available patches as soon as possible to prevent any potential attacks.