On November 5, 2024, HPE published a security bulletin regarding two critical vulnerabilities, CVE-2024-42509 and CVE-2024-47460, affecting Aruba Networks access points. These vulnerabilities concern the Aruba access point management protocol, PAPI (UDP port 8211), and could allow unauthenticated remote code execution (RCE) via specially crafted packets. Although no active exploitation has been observed at this time, the severity of these vulnerabilities makes them an attractive target for malicious actors, particularly those seeking privileged access to networks.
| Product | Aruba Networks Access Points |
| Date | 2024-11-11 17:10:46 |
| Information |
|
Technical Summary
The vulnerabilities in question allow unauthenticated attackers to perform command injection attacks by sending malicious packets to the PAPI protocol on UDP port 8211. If exploited, these vulnerabilities could lead to remote code execution (RCE) with privileged access on the affected Aruba access points. This could allow attackers to compromise the devices and gain control of the network infrastructure. Although no public proof-of-concept (PoC) exploits have been identified, the risks associated with these vulnerabilities remain high, especially since attackers could reverse-engineer the patches to target unpatched systems.
Recommendations
Update to the latest patched version:
- HPE recommends updating to the following versions containing the fixes:
- Aruba Access Points (AOS-10.4.x.x): update to version 10.4.1.5 or higher.
- Aruba Access Points (AOS-10.7.x.x): update to version 10.7.0.0 or higher.
- Instant AOS-8.12.x.x: update to version 8.12.0.3 or higher.
- Instant AOS-8.10.x.x: update to version 8.10.0.14 or higher.
Temporary workarounds for unpatched systems:
- For devices running Instant AOS-8, enabling cluster security via the
cluster-securitycommand mitigates the vulnerability. - For devices running AOS-10, it is recommended to block access to UDP port 8211 from untrusted networks to reduce the attack surface.
[Callforaction-THREAT-Footer]
