In a recent security advisory, Hewlett Packard Enterprise (HPE) has issued critical patches for several vulnerabilities affecting Aruba Networking Access Points running Instant AOS-8 and AOS-10. The vulnerabilities, rated as high and critical severity, could allow attackers to gain unauthorized access, execute arbitrary commands with root privileges, and even take full control of compromised devices. These vulnerabilities impact a range of Aruba Access Point models, and HPE urges immediate action to mitigate potential security risks.
This article examines the vulnerabilities, the potential security impacts, and provides essential best practices for securing these critical network devices.
Overview of the Aruba Access Point Vulnerabilities
HPE Aruba Networking has identified multiple vulnerabilities across Aruba Access Points using AOS-8 and AOS-10, with the following assigned CVE identifiers:
- CVE-2024-42509: An unauthenticated command injection vulnerability in the CLI service accessed via the PAPI protocol. This flaw could allow attackers to execute arbitrary commands with root privileges, posing a high risk for system compromise.
- CVE-2024-47460: Another command injection vulnerability targeting the CLI, accessible through crafted packets sent to UDP port 8211, which can also lead to remote code execution.
- CVE-2024-47461: Authenticated remote command execution vulnerability in the CLI that allows attackers with valid credentials to execute arbitrary commands.
- CVE-2024-47462 and CVE-2024-47463: Authenticated arbitrary file creation vulnerabilities in the CLI that could lead to remote code execution.
- CVE-2024-47464: An authenticated path traversal vulnerability that could allow attackers unauthorized access to sensitive files.
Impacted Products and Versions
The vulnerabilities affect Aruba Access Points running the following versions:
- AOS-10.4.x.x (10.4.1.4 and below)
- Instant AOS-8.12.x.x (8.12.0.2 and below)
- Instant AOS-8.10.x.x (8.10.0.13 and below)
Devices not affected by these vulnerabilities include HPE Aruba Networking Mobility Conductor, Mobility Controllers, SD-WAN Gateways, and the InstantOn Access Points series.
No Available Workarounds for Certain Devices
For affected devices running AOS-10, HPE has confirmed that no workarounds exist, making immediate patching the only viable mitigation. For AOS-8 devices, HPE recommends enabling cluster security via the cluster-security
command, though patching remains the preferred solution. It is essential to limit access to the vulnerable UDP port (8211) to trusted networks only, especially if using AOS-10, where no command-based workaround is available.
10 Essential Tips to Prevent Network Vulnerabilities
- Apply Security Patches Promptly: Regularly check for and apply firmware updates for Aruba devices. Ensure that the latest patch versions are installed to mitigate these critical vulnerabilities.
- Limit Access to Management Interfaces: Restrict CLI and web-based management interfaces to secure VLANs and specific IP ranges to prevent unauthorized access.
- Monitor UDP Port 8211 Traffic: Since the PAPI protocol uses this port, configure firewalls to restrict access from untrusted networks.
- Enable Cluster Security: For AOS-8 devices, enable cluster security to prevent unauthorized command injection attacks.
- Implement Network Segmentation: Place critical infrastructure devices in segmented networks that only trusted devices and users can access.
- Regular Vulnerability Assessments: Conduct regular vulnerability scans on access points to detect any residual risks and misconfigurations that may allow unauthorized access.
- Deploy Endpoint Security Solutions: Use endpoint security tools to monitor and respond to suspicious activities on access points and network-connected devices.
- Enable Strong Authentication: Apply multi-factor authentication (MFA) for accessing management interfaces to protect against unauthorized access.
- Restrict File Upload Permissions: Configure permissions carefully to limit file uploads and prevent unauthorized file creation on devices.
- Educate and Train Staff: Ensure IT staff are aware of the latest vulnerabilities and follow best practices for device management and configuration.
Conclusion
The recent security patches issued by HPE for Aruba Networking Access Points underscore the ongoing importance of proactive cybersecurity practices in network management. For organizations using Aruba access points in critical environments, the identified vulnerabilities highlight the risks of delayed patching. Applying these patches immediately and following best practices will significantly reduce the threat of unauthorized access and ensure a secure networking environment.
For additional information and access to software updates, visit HPE’s official security advisory here.
Want to stay on top of cybersecurity news? Follow us on Facebook, X (Twitter), Instagram, and LinkedIn for the latest threats, insights, and updates!