HPE Aruba Networking has identified four critical RCE vulnerabilities in ArubaOS.

HPE Aruba Networking has identified four serious vulnerabilities related to remote code execution in its ArubaOS operating system. In April 2024, the company released security updates aimed at addressing these critical vulnerabilities, which may affect several versions of the ArubaOS network operating system. All four vulnerabilities are buffer overflow flaws that could be exploited for remote execution of arbitrary code.

The first vulnerability

CVE-2024-26305— this is a buffer overflow vulnerability in the daemon utility accessible via the PAPI protocol. If the attack is successfully executed, it could lead to remote code execution without authentication. An attacker can send specially crafted packets to the PAPI UDP port (8211), allowing them to execute arbitrary code with privileges on the host operating system.

The second vulnerability

CVE-2024-26304Similarly, it represents a buffer overflow vulnerability in the L2/L3 management service, which is also accessible via PAPI. Using the same methods, an attacker can remotely execute arbitrary code, gaining access to the system as a privileged user.

Third vulnerability

CVE-2024-33511This concerns the automated reporting service available through PAPI.

The fourth vulnerability

CVE-2024-33512It is related to the local user authentication database, accessible via PAPI. If a vulnerability exists, successful exploitation would allow an attacker to execute arbitrary code without authentication, gaining access to the system as a privileged user.

List of affected products and software versions

• HPE Aruba Networking - Mobility Conductor (formerly known as Mobility Master)
• Mobility controllers
• WLAN gateways
• SD-WAN gateways managed through Aruba Central

Affected versions of the software:

• ArubaOS 10.5.x.x: up to 10.5.1.0
• ArubaOS 10.4.x.x: up to 10.4.1.0
• ArubaOS 8.11.x.x: up to 8.11.2.1
• ArubaOS 8.10.x.x: up to 8.10.0.10

Versions of ArubaOS and SD-WAN are in the end-of-life stage:

• ArubaOS 10.3.x.x: all versions
• ArubaOS 8.9.x.x: all versions
• ArubaOS 8.8.x.x: all versions
• ArubaOS 8.7.x.x: all versions
• ArubaOS 8.6.x.x: all versions
• ArubaOS 6.5.4.x: all versions
• SD-WAN 8.7.0.0-2.3.0.x: all versions
• SD-WAN 8.6.0.4-2.2.x.x: all versions

HPE Aruba Networking recommends enabling the featureEnhanced PAPI Securitywith a non-standard key to reduce risks associated with vulnerabilities. This approach works in ArubaOS 8.x; however, it is not relevant for ArubaOS 10.x. It is recommended to upgrade to one of the recommended versions of ArubaOS 10.x to address other vulnerabilities mentioned in the notification. At the time of publication of this material, the manufacturer had not recorded any attacks in the real world exploiting the vulnerabilities discussed in the April 2024 security updates.

Follow the latest updates and security information on Twitter under the handle @securityaffairs, as well as on Facebook and Mastodon (SecurityAffairs – hacking, HPE Aruba).