-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory ============================================= Advisory ID: HPESBNW04722 CVE: CVE-2024-42509, CVE-2024-47460, CVE-2024-47461 CVE-2024-47462, CVE-2024-47463, CVE-2024-47464 Publication Date: 05-Nov-2024 Status: Confirmed Severity: Critical Revision: 1 Title ===== HPE Aruba Networking Access Points Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released software patches for Access Points running Instant AOS-8 and AOS-10 that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Access Points running Instant AOS-8 and AOS-10 Affected Software Version(s): - AOS-10.4.x.x: 10.4.1.4 and below - Instant AOS-8.12.x.x: 8.12.0.2 and below - Instant AOS-8.10.x.x: 8.10.0.13 and below The following software versions that are End of Maintenance (EoM) are affected by these vulnerabilities and are not addressed by this advisory: - AOS-10.6.x.x: all - AOS-10.5.x.x: all - AOS-10.3.x.x: all - Instant AOS-8.11.x.x: all - Instant AOS-8.9.x.x: all - Instant AOS-8.8.x.x: all - Instant AOS-8.7.x.x: all - Instant AOS-8.6.x.x: all - Instant AOS-8.5.x.x: all - Instant AOS-8.4.x.x: all - Instant AOS-6.5.x.x: all - Instant AOS-6.4.x.x: all Unaffected Products ================= HPE Aruba Networking Mobility Conductor, Mobility Controllers, and SD-WAN Gateways are not affected by these vulnerabilities. HPE Networking InstantOn Access Points are also not affected by these vulnerabilities. Any other supported software versions not listed under the Affected Products section of this advisory are not known to be affected by the disclosed vulnerabilities. Details ====== Unauthenticated Command Injection Vulnerability in the CLI Service Accessed by the PAPI Protocol (CVE-2024-42509) - --------------------------------------------------------------------- Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-492 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by zzcentury through HPE Aruba Networking's Bug Bounty program Workaround: Enabling cluster security via the cluster-security command will prevent this vulnerability from being exploited in devices running Instant AOS-8 code. For AOS-10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Unauthenticated Command Injection Vulnerability in the CLI Service Accessed by the PAPI Protocol (CVE-2024-47460) - --------------------------------------------------------------------- Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Internal References: ATLWL-487 Severity: Critical CVSSv3.x Overall Score: 9.0 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: Enabling cluster security via the cluster-security command will prevent this vulnerability from being exploited in devices running Instant AOS-8 code. For AOS-10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Authenticated Arbitrary Remote Command Execution (RCE) in Instant AOS-8 and AOS-10 (CVE-2024-47461) - --------------------------------------------------------------------- An authenticated command injection vulnerability exists in the Instant AOS-8 and AOS-10 command line interface. A successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying host operating system. Internal References: ATLWL-491 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by zzcentury through HPE Aruba Networking's Bug Bounty program Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Arbitrary File Creation Vulnerability in Instant AOS-8 and AOS-10 leads to Authenticated Remote Command Execution (RCE) (CVE-2024-47462, CVE-2024-47463) - --------------------------------------------------------------------- An arbitrary file creation vulnerability exists in the Instant AOS-8 and AOS-10 command line interface. Successful exploitation of this vulnerability could allow an authenticated remote attacker to create arbitrary files, which could lead to a remote command execution (RCE) on the underlying operating system. Internal References: ATLWL-493, ATLWL-494 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by zzcentury through HPE Aruba Networking's Bug Bounty program Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Authenticated Path Traversal Vulnerability Leads to a Remote Unauthorized Access to Files (CVE-2024-47464) - --------------------------------------------------------------------- An authenticated Path Traversal vulnerability exists in Instant AOS-8 and AOS-10. Successful exploitation of this vulnerability allows an attacker to copy arbitrary files to a user readable location from the command line interface of the underlying operating system, which could lead to a remote unauthorized access to files. Internal References: ATLWL-476 Severity: Medium CVSSv3.x Overall Score: 6.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Erik De Jong (bugcrowd.com/erikdejong) via HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Resolution ========== To address the vulnerabilities described above in the affected software branches, it is recommended to upgrade the Access Points to one of the following versions (as applicable): - AOS-10.7.x.x: 10.7.0.0 and above - AOS-10.4.x.x: 10.4.1.5 and above - Instant AOS-8.12.x.x: 8.12.0.3 and above - Instant AOS-8.10.x.x: 8.10.0.14 and above Software versions with resolution/fixes for the vulnerabilities covered above, can be downloaded from the HPE Networking Support Portal. https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch Instant AOS and AOS software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking products End of Support policy visit: https://networkingsupport.hpe.com/end-of-life Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - HPE Aruba Networking for assistance if needed. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 05-Nov-2024 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2024 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE9zqsNx9yvODdb2dJ5CfOwavVlhkFAmck9y4ACgkQ5CfOwavV lhlrwRAApo3e+vbYms3s9pIDO1Ss02QdvmtwhUad/hBkBZ4cJB2QU6gJjqY/ZWzV C2HzQPJf/SGGjX4gbrIYGlPCzaaZwz6ADWzMAcN1ws5OfhXvWqxkQiGemVe3fh9Z hI037q5HEWQLno9Qwildvu5Qrb7m2lyQZHEdTU3K1zbBBnWDfF+eltkxBWPnLKSg NuJiTes7cyl0LN6Xcjo/9eBSX4c+kK/9yoaWvD0sc79Q1VW3iUc/ObbJRyCyCldb tcWOzC9lJh1BA1ZGlP6TaCSKGk4KhjSUmmIBg/R0l8oRJKjQpphz2SxTCBQqhCYN HQb3qBHR1rrG0wFFznqUKszXkLA4IzosrdHV8rAPcJOIJZ3sGorFWfCeYRgEmo3v rPJuQDkt5fxVRMxJZLDEoFwxXKYXgvzrP/qwx2kU8zPH5ugaN7pZN4vEpdn3VO4q Shq1NnWz/yIlKtEl93/JXUCL7K7lwBEzV+l0yal8SSFR9yKIW+nIBUkqJx1FsNOn 44mkvnGPJdQhJIajW356cZamShdFTA5VwSbyJVnmY0kXsyInH2g7KISLapKOoCw0 2kaala0jh8qhJTiyZ/tZNXvwndIvSqI1mjuJ22/2/J5StBJMNPwqNRx3hqeTsCtV L7sv8wke2HoPdSPo9sFVTanChLv4B65azrOCZuOIsQi7+1I9wwA= =wDJ+ -----END PGP SIGNATURE-----