Aruba Networks has issued six critical patches for its PAPI protocol as part of a security release covering more than 30 vulnerabilities.
PAPI is the company’s access point management protocol.
Four bugs, assigned CVEs but not yet fully disclosed, cover unauthenticated command injections in the protocol.
Aruba’s advisory states that CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750 can lead to unauthenticated remote code execution.
A successful exploit would give the attacker the ability to execute operating system code as a privileged user.
There are also two stack-based buffer overflow vulnerabilities in the protocol, CVE-2023-22751 and CVE-2023-22752, which also exposes the system to remote code execution.
The bugs, which were reported via Bugcrowd by Erik de Jong, are exploited by sending crafted packets to the target over UDP port 8211.
PAPI can also be used as the vector to exploit five high-rated vulnerabilities in ArubaOS processes: CVE-2023-22753, CVE-2023-22754, CVE-2023-22755, CVE-2023-22756, and CVE-2023-22757.
The unauthenticated buffer overrun bugs also let an attacker run operating system commands as a privileged user, and are attackable via the PAPI protocol. Aruba credited Haoliang Lu for their discovery.
The bugs couldn’t be patched in the ArubaOS 8.6.x branch, so those users will have to implement a workaround or upgrade to the 8.10.x branch.
There’s also a high-rated vulnerability, a read buffer overrun processing ASN.1 strings in the operating system (CVE-2021-3712), but it’s only attackable by an authenticated user.
There are also several bugs in the ArubaOS web management interface (CVE-2023-22758, CVE-2023-22759, CVE-2023-22760 and CVE-2023-2276) and command line interface (CVE-2023-22762, CVE-2023-22763, CVE-2023-22764, CVE-2023-22765, CVE-2023-22766, CVE-2023-22767, CVE-2023-22768, CVE-2023-22769, and CVE-2023-22770), all of which can only be exploited by an authenticated user.
Products covered by the advisory include the company’s Mobility Master/Conductor, Mobility Controllers, along with WLAN and SD-WAN gateways managed by Aruba Central.
Affected software branches are ArubaOS 8.6.0.19 and below, 8.10.0.4 and below, 10.3.1.0 and below; along with SD-WAN 8.7.0.0-2.3.0.8 and below.