HPE Aruba Networking Releases Critical Security Updates For ArubaOS

Four vulnerabilities could lead to unauthenticated RCE and six others could lead to DoS

Threat ID:: CC-4484
Threat Severity:: Medium
Published:: 1 May 2024 11:40 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Four vulnerabilities could lead to unauthenticated RCE and six others could lead to DoS

Affected platforms

The following platforms are known to be affected:

Versions: 10.5.1.0 and earlier, 10.4.1.0 and earlier, 8.11.2.1 and earlier, 8.10.0.10 and earlier

ArubaOS

ArubaOS is used on the following HPE Aruba Networking products:

Mobility Conductor (formerly Mobility Master)
Mobility Controllers
WLAN Gateways and SD-WAN Gateways managed by Aruba Central

Threat details

End of maintenance ArubaOS software versions are also affected

The following ArubaOS and SD-WAN software versions that are End of Maintenance are affected by these vulnerabilities and security updates will not be issued:

ArubaOS 10.3.x.x
ArubaOS 8.9.x.x
ArubaOS 8.8.x.x
ArubaOS 8.7.x.x
ArubaOS 8.6.x.x
ArubaOS 6.5.4.x
SD-WAN 8.7.0.0-2.3.0.x
SD-WAN 8.6.0.4-2.2.x.x

Introduction

Hewlett Packard Enterprise (HPE) Aruba Networking has issued an advisory that addresses 10 vulnerabilities that affect product lines that use ArubaOS, including Mobility Conductor (formerly Mobility Master), Mobility Controllers, WLAN Gateways, and SD-WAN Gateways (managed by Aruba Central). ArubaOS is a network operating system for WLAN access points and gateways.

Four critical buffer overflow vulnerabilities that have CVSSv3 scores of 9.8 could be exploited by an unauthenticated, remote attacker via a specially crafted packet to achieve remote code execution (RCE). Successful exploitation could lead to the ability to execute arbitrary code on the underlying operating system. The other six vulnerabilities could lead to unauthenticated denial-of-service (DoS).

Internet-facing devices are popular targets for attackers

Vulnerabilities in internet-facing applications and appliances are popular targets for cyber threat groups and are often exploited soon after official disclosure. The NHS England National CSOC expects broad exploitation, should proof-of-concept (PoC) code be publicly released.