-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: HPESBNW04712 CVE: CVE-2024-42505, CVE-2024-42506, CVE-2024-42507 Publication Date: 2024-SEP-24 Status: Confirmed Severity: Critical Revision: 1 Title ===== HPE Aruba Networking Access Points Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released AOS software patches for Aruba Access Points running Instant AOS-8 and AOS-10 that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Aruba Access Points running Instant AOS-8 and AOS-10 Affected Software Version(s): - AOS-10.6.x.x: 10.6.0.2 and below - AOS-10.4.x.x: 10.4.1.3 and below - Instant AOS-8.12.x.x: 8.12.0.1 and below - Instant AOS-8.10.x.x: 8.10.0.13 and below The following software versions that are End of Support Life (EoSL) are affected by these vulnerabilities and are not addressed by this advisory: - AOS-10.5.x.x: all - AOS-10.3.x.x: all - Instant AOS-8.11.x.x: all - Instant AOS-8.9.x.x: all - Instant AOS-8.8.x.x: all - Instant AOS-8.7.x.x: all - Instant AOS-8.6.x.x: all - Instant AOS-8.5.x.x: all - Instant AOS-8.4.x.x: all - Instant AOS-6.5.x.x: all - Instant AOS-6.4.x.x: all Unaffected Products =================== HPE Aruba Networking Mobility Conductors, Mobility Controllers, and SD-WAN Gateways are not affected by these vulnerabilities. HPE Networking Instant On is also not affected by these vulnerabilities. Any other supported software versions not listed under the Affected Products section of this advisory are not known to be affected by the disclosed vulnerabilities. Details ======= Unauthenticated Command Injection Vulnerabilities in the CLI Service Accessed by the PAPI Protocol (CVE-2024-42505, CVE-2024-42506, CVE-2024-42507) - ---------------------------------------------------------------------- Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-481, ATLWL-479, ATLWL-477 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in devices running Instant AOS-8.x code. For AOS 10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Resolution ========== To address the vulnerabilities described above in the affected software branches, it is recommended to upgrade the Access Points to one of the following versions (as applicable): - AOS-10.7.x.x: 10.7.0.0 and above - AOS-10.6.x.x: 10.6.0.3 and above - AOS-10.4.x.x: 10.4.1.4 and above - Instant AOS-8.12.x.x: 8.12.0.2 and above - Instant AOS-8.10.x.x: 8.10.0.14 and above Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch Instant AOS and AOS software branches that have reached their End of Support Life (EoSL) milestone. For more information about HPE Aruba Networking products End of Support policy visit: https://networkingsupport.hpe.com/end-of-life Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking for assistance if needed. Exploitation and Public Discussion ============================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2024-SEP-24 / Initial release HPE Aruba Networking SIRT Security Procedures ========================================= Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmby+PkXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE66PsAv/WF+3PcCzsI6hUsK5v+RARsZ2 XXP8jLE0jIaz5ekgjo4MIEOyqEnVQuPAS2HsOaXNeC7rlpHN17J7mJAraKdhhnqY xgJ+k/Q4qgs9tFCDGjQxOsAVQARSLZ/fQV3dEt7Tgfk9KLn6y9O/jzWZHNhMDwV+ DoSwmZqQtmmmIbHlHDLxqaCVBeWhvhKbi+XfKWu7/9txxeHMAXBfMs9tECHEelx8 nugioNaE6ZwOMFk9cNvQ8jMSl9mtf9w1w2/H4Rjr+I7QMHSQf8RkM9cNwvWOpMmu To1fxOwAKu+f84u/HDzzPBzqGbZAoYQ2YlLS5E1gTxDFmDIHWNjFSxZYBVegqZD1 GOGPdD8b7ijJ7V4US0QYaKG0mdgY/ETZX0shL+eYmWTTKeAplQd6+XGaqy3f3nJE 7TxlwW3qEPot/d12hOqeHR2Tiv7E4J9X5p/RVWn220iS0A0wYxpDAScrK2bZ7f5N skNFevt+52gJFGGZpUJRpYSGU8E94v3EniMObvmb =NjPt -----END PGP SIGNATURE-----