-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory 
=============================== 
Advisory ID: HPESBNW04772
CVE: CVE-2024-54010
Publication Date: 2025-Jan-08
Status: Confirmed 
Severity: Low
Revision: 1
 
 
Title 
===== 
Traffic Handling Vulnerability Impacting HPE Aruba Networking CX 10000
Switch Series running AOS-CX


Overview 
======== 
HPE Aruba Networking has released updates for HPE Aruba Networking CX
10000 Switch Series running AOS-CX that addresses a low-severity traffic
handling vulnerability.


Affected Products 
=================  
HPE Aruba Networking CX 10000 Switch Series running the following CX
Operating System versions:
- - AOS-CX 10.15.xxxx: 10.15.0005 and below
- - AOS-CX 10.14.xxxx: 10.14.1020 and below
- - AOS-CX 10.13.xxxx: 10.13.1060 and below
- - AOS-CX 10.10.xxxx: 10.10.1140 and below


Unaffected Products 
===================
Any other supported HPE Aruba Networking products not specifically 
listed above are not affected by these vulnerabilities. 


Details 
======= 

  Unauthenticated Traffic Handling Flaw Allows Packet Leakage on
  HPE Aruba Networking CX 10000 series switches 
  (CVE-2024-54010) 
  --------------------------------------------------------------------- 
    A vulnerability in the firewall component of HPE Aruba Networking
    CX 10000 Series Switches exists. It could allow an unauthenticated
    adjacent attacker to conduct a packet forwarding attack against the
    ICMP and UDP protocol. For this attack to be successful an attacker
    requires a switch configuration that allows packets routing (at
    layer 3). Configurations that do not allow network traffic routing
    are not impacted. Successful exploitation could allow an attacker to
    bypass security policies, potentially leading to unauthorized data
    exposure.
 
    Internal References: ATLAX-95
    Severity: Low
    CVSSv3.x Overall Score: 3.4
    CVSS Vector:  CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
    Discovery: This vulnerability was discovered by DXC.
  

Resolution 
========== 
Upgrade affected HPE Aruba Networking CX 10000 Series switches to one   
of the following HPE Aruba Networking CX Operating System branches and  
versions (as applicable) to resolve the vulnerabilities described in    
the details section:                                                    
  
- - AOS-CX 10.15.xxxx: 10.15.1000 and above
- - AOS-CX 10.14.xxxx: 10.14.1030 and above
- - AOS-CX 10.13.xxxx: 10.13.1070 and above

Note: AOS-CX 10.10.xxxx will not receive fixes for this vulnerability
due to regression complications. Upgrading to AOS-CX 10.13.1070 and
above will address it.
   
Software versions with resolution/fixes for the vulnerability covered 
above, can be downloaded from the HPE Networking Support Portal. 
https://networkingsupport.hpe.com/home/

HPE Aruba Networking does not evaluate or patch product versions
that have reached their End of Maintenance (EoM) milestone. For more
information about HPE Aruba Networking product's End of Support policy,
visit the HPE Networking Support Portal at 
https://networkingsupport.hpe.com/ 

Following are the supported HPE Aruba Networking CX Operating System
software branches for the CX 10000 series switches as of the publication
date of this advisory:

  - AOS-CX 10.15.xxxx 
  - AOS-CX 10.14.xxxx 
  - AOS-CX 10.13.xxxx 
  - AOS-CX 10.10.xxxx 


Workaround 
========== 
To minimize the likelihood of an attacker exploiting this vulnerability,
HPE Aruba Networking recommends enabling an ingress port-based Access
Control List (ACL). For ACL configuration guidance, please refer to the
ACLs and Classifier Policies Guide that is available at:
https://www.arubanetworks.com/techdocs/AOS-CX/10.15/PDF/acls_832x-9300-10000.pdf. 
 
 
Exploitation and Public Discussion 
================================== 
HPE Aruba Networking is not aware of any public discussion or exploit code that 
targets these specific vulnerabilities as of the release date of the advisory.

 
Revision History 
================ 
Revision 1 / 2025-Jan-08 / Initial release
 
 
HPE Aruba Networking SIRT Security Procedures 
============================== 
Complete information on reporting security vulnerabilities in HPE Aruba 
Networking products and obtaining assistance with security incidents is 
available at:                                                           

 https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us 

For reporting *NEW* HPE Aruba Networking security issues, email can be  
sent to aruba-sirt(at)hpe.com. For sensitive information we encourage   
the use of PGP encryption. Our public key can be found at:             

 https://www.hpe.com/info/psrt-pgp-key 

(c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This   
advisory may be redistributed freely after the release date given       
at the top of the text, provided that the redistributed copies are      
complete and unmodified, including all data and version information.
-----BEGIN PGP SIGNATURE-----

iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmd9qYEXHHNlY3VyaXR5
LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE67bBwv+L1u63JFHeoNuCRnA63lKDlgX
HOxa5eMXNXt4yGblmwmkAmTCwbqOqvuwc2TYgdzGiYMpaUUUGxqFHdqtRddGwiD2
dy+sZbMJm4/fGgdsOynU3I+5t5sKGIIChg0zQhRaJJ9rz1NoblzMlcB5sFOyXEGr
qXjn+KZwzyl2i33tksgAvisnFA2B8ZoYF8XvLe0aHzn+6KSHtI+wCNHMd3CT1tqw
exhirI8BOfZonnNjb+IXO2zN2JlYjzm+0EVoxSdPn6j6qFg2nfO5L29pE8RaxUjM
4E04CRr+1tG9nBOCKHZgc13+cYqAXY+m/VDb3y1jqGA1/YIJnodIrKgM3HX3ShJb
TSkk5lnpI3M0gUg46M/xmwZbqfW+Zkfvtc88lkmgO2HVZBzczODU2snaucAgzghN
hUtFJp2NElgQ8YIjWFwbIrn3DasyVd34bIyfTHAEUJ0GpV855V0hKSfnteHVS/wu
0eJRtMhgYaFe8PT7gfrIb33ClPPYFPXhDlMRnHam
=D0ga
-----END PGP SIGNATURE-----