Article Details

HPE warns of critical RCE flaws in Aruba Networking access points. Hewlett Packard Enterprise (HPE) released updates for Instant AOS-8 and AOS-10 software to address two critical vulnerabilities in Aruba Networking Access Points. The two security issues could allow a remote attacker to perform unauthenticated command injection by sending specially crafted packets to Aruba's Access Point management protocol (PAPI) over UDP port 8211. The critical flaws are tracked as CVE-2024-42509 and CVE-2024-47460, and have been assessed with a severity score of 9.8 and 9.0, respectively. Both are in the command line interface (CLI) service, which is accessed via the PAPI protocol. The update also fixes another four security vulnerabilities: All six vulnerabilities impact AOS-10.4.x.x: 10.4.1.4 and older releases, Instant AOS-8.12.x.x: 8.12.0.2 and below, and Instant AOS-8.10.x.x: 8.10.0.13 and older versions. HPE notes in the security advisory that several more versions of the software that have reached their End of Maintenance dates are also impacted by these flaws there will be no security updates for them. Fixes and workarounds To address vulnerabilities in Aruba Networking Access Points, HPE recommends users to update their devices to the following software versions or newer: HPE has also provided workarounds for all six flaws to help in cases where software updates cannot be immediately installed: For the two critical flaws, the proposed workaround is to restrict/block access to the UDP port 8211 from all untrusted networks. For the rest of the issues, the vendor recommends restricting access to the CLI and web-based management interfaces by placing them on a dedicated layer 2 segment or VLAN, and to control access with firewall policies at layer 3 and above, which would limit potential exposure. No active exploitation of the flaws has been observed, but applying the security updates and/or mitigations comes as a strong recommendation.