-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: HPESBGN04659 CVE: CVE-2024-6206 Publication Date: 2024-Jun-25 Status: Confirmed Severity: High Revision: 1 Title ===== Arbitrary Code Execution in HPE Athonet Mobile Core Overview ======== HPE Aruba Networking has released a software update for the HPE Athonet Mobile Core Platform that addresses a code injection vulnerability. Affected Products ================= These vulnerabilities affect the following HPE Athonet Mobile Core Software version unless specifically noted otherwise in the details section: - Athonet Core 1.23.4.2 and below Unaffected Products =================== Any other HPE Networking products not specifically listed above are not affected by these vulnerabilities. Details ======= Arbitrary Code Execution in Underlying Mobile Core Container (CVE-2024-6206) --------------------------------------------------------------------- A security vulnerability has been identified in HPE Athonet Mobile Core software. The core application contains a code injection vulnerability where a threat actor could execute arbitrary commands with the privilege of the underlying container leading to complete takeover of the target system. Internal Reference: PSA-279 Severity: High CVSSv3 Overall Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered during internal penetration testing by HPE Aruba Networking. Resolution ========== To resolve the vulnerability described above, it is recommended to upgrade the software to the following version: - Athone Core 1.24.1.0 and above HPE Aruba Networking does not evaluate or patch HPE Athonet Mobile Core Software versions that have reached their End of Support (EoS) milestone. For more information about HPE Athonet Product Lifecycle and Versioning policy visit: https://www.hpe.com/psnow/doc/4aa5-5978enw?jumpid=in_pdfviewer-psnow Workaround ========== None. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting this specific vulnerability as of the release date of the advisory. Revision History ================ Revision 1 / 2024-Jun-25 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay? docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public key can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmZ62N0XHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE655dgwAqSjB9+1XI3VUac4tqE4ATAH9 DauDAFzlpPCaTN+LhkMk9ecSMrKPhcCoRmjZMz2HzSP8H3SRFlTKjE8eFPQc4dqC FaNQ6ni1HA09bfHxe7tby2wldUOzYwGKrnwh+bEYpMLx+leBRzZRyNPxR4L0urGu ZmvScalThqCxtyJeLXSHcFj9fFJEg3eu8RkUrM3l8u8qeF6U83hiBu9JRNCDBhQk RwEKnflWPkqGqdmlPeoi3ju3xhajgkwpb/j8KD0tLpZ2QGjtmr7GRreDNg7w6eTZ TkthJxhZ3hqgcJtO2MhQ3Q1tGSqmSIYKd5R3S8/eOrxRZU84lOc4YjZ2UsuMtn/3 2OVuojC26PavybuXklOfQEwnyf+iwPBly8ovLzBXwBZF3vAqdO5neWxiuTnJcMIM PIFCc2Vnn6oZxAcVmQOGU6JIBKIjf1pT8LXHMZGnd40Sus0HfRJF59zdDp+UzClx XymJSJ4x2uiL1Pnq8Rh0UeAkUe+ttdTl3tprBdcy =eGq1 -----END PGP SIGNATURE-----