Multiple critical vulnerabilities have been identified in HPE Aruba Access Points, potentially allowing attackers to execute remote code and compromise systems.
These vulnerabilities affect both Instant AOS-8 and AOS-10, with some requiring authentication while others can be exploited without credentials. Below is a detailed summary of each vulnerability and its impact.
Unauthenticated Command Injection Vulnerability in the CLI Service (CVE-2024-42509)
This critical vulnerability, CVE-2024-42509, allows unauthenticated attackers to execute arbitrary code by sending specially crafted packets to the PAPI (Aruba’s Access Point Management Protocol) UDP port (8211).
Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs
The vulnerability stems from a command injection flaw in the CLI service, which, when exploited, allows an attacker to gain privileged access to the underlying operating system.
- Severity: Critical
- CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- Discovery: Reported by zzcentury
- Workaround: For devices running Instant AOS-8, enabling cluster security via the cluster-security command will mitigate this vulnerability. For AOS-10 devices, blocking access to port UDP/8211 from untrusted networks is recommended.
Unauthenticated Command Injection Vulnerability in the CLI Service (CVE-2024-47460)
Like CVE-2024-42509, this vulnerability, CVE-2024-47460, involves command injection in the CLI service. However, due to its higher complexity, it is slightly harder to exploit.
Successful exploitation still leads to remote code execution as a privileged user.
- Severity: Critical
- CVSS Score: 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
- Discovery: Reported by Erik De Jong
- Workaround: Enabling cluster security for Instant AOS-8 devices or blocking access to UDP/8211 for AOS-10 devices.
Authenticated Arbitrary Remote Command Execution (CVE-2024-47461)
This vulnerability, CVE-2024-47461, affecting both Instant AOS-8 and AOS-10, requires authentication but allows an attacker to execute arbitrary commands on the system, leading to full compromise of the underlying operating system.
- Severity: High
- CVSS Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
- Discovery: Reported by zzcentury
- Workaround: Restrict CLI and web-based management interfaces to a dedicated VLAN or use firewall policies to limit access.
Arbitrary File Creation Vulnerability Leading to Remote Code Execution (CVE-2024-47462, CVE-2024-47463)
These vulnerabilities, CVE-2024-47462 and CVE-2024-47463, allow authenticated attackers to create arbitrary files on the system, which can lead to remote code execution.
The issue resides in the command line interface of both Instant AOS-8 and AOS-10.
- Severity: High
- CVSS Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
- Discovery: Reported by zzcentury
- Workaround: As with CVE-2024-47461, restricting management interfaces to controlled segments is advised.
Authenticated Path Traversal Vulnerability (CVE-2024-47464)
This medium-severity vulnerability, CVE-2024-47464, allows authenticated attackers to access unauthorized files via the CLI in Instant AOS-8 and AOS-10.
By using path traversal exploits, attackers can copy arbitrary files to accessible locations, leading to potential data disclosure.
- Severity: Medium
- CVSS Score: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)
- Discovery: Reported by Erik De Jong
- Workaround: Limit access to management interfaces through VLAN segmentation or firewall policies.
These vulnerabilities highlight the critical need for organizations using HPE Aruba Access Points to apply workarounds and updates to mitigate potential risks.
HPE Aruba Networking has acknowledged these issues and recommended securing affected systems.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!