Hewlett Packard Enterprise (HPE) has recently taken significant steps to bolster the security of its Aruba Networking Access Point products by releasing critical security patches. These patches address multiple vulnerabilities affecting devices running on Instant AOS-8 and AOS-10 firmware versions. Specifically, the firmware versions impacted are AOS-10.4.1.4 and below, Instant AOS-8.12.0.2 and below, and Instant AOS-8.10.0.13 and below. The release of these patches is a critical move by HPE to ensure the security and integrity of networks utilizing these devices. The vulnerabilities being addressed are quite severe, with two notable issues assigned CVSS scores of 9.8 and 9.0. These include CVE-2024-42509 and CVE-2024-47460, both of which are critical command injection flaws in the CLI service.
Critical Vulnerabilities and Their Implications
Among the six patched vulnerabilities, the most severe are CVE-2024-42509 and CVE-2024-47460. These vulnerabilities possess CVSS scores of 9.8 and 9.0, respectively, highlighting the significant risk they pose to affected systems. The vulnerabilities are command injection flaws within the CLI service, which allow for unauthenticated remote code execution. By sending specially crafted packets to the PAPI UDP port (8211), attackers can potentially execute arbitrary code as privileged users on impacted systems. This kind of access could lead to a multitude of damaging actions, including complete system compromise.
In response to the critical nature of these vulnerabilities, HPE has provided specific mitigation strategies. For devices running Instant AOS-8, it is advised to enable cluster security using the cluster-security command. This action can prevent unauthorized access and bolster overall network security. For AOS-10 devices, one recommended measure is to block access to UDP port 8211 from untrusted networks. This approach minimizes the risk of exploitation from external threats. Moreover, HPE emphasizes the importance of regularly applying updates and monitoring network security to prevent potential attacks.
Additional Vulnerabilities and Mitigation Strategies
In addition to the critical flaws CVE-2024-42509 and CVE-2024-47460, HPE has addressed four other vulnerabilities. These include CVE-2024-47461, an authenticated remote command execution flaw, and CVE-2024-47462 and CVE-2024-47463, both stemming from an arbitrary file creation issue. Another vulnerability, CVE-2024-47464, is a path traversal vulnerability that enables unauthorized file access. These vulnerabilities, while less critical than the command injection flaws, still pose a significant threat to network security and require immediate attention.
To further mitigate these risks, HPE recommends users restrict access to CLI and web-based management interfaces by placing them within a dedicated VLAN. Additionally, employing firewall policies at layer 3 and above can provide an extra layer of protection. Security firm Arctic Wolf has highlighted that while Aruba Networking Access Points have not yet been exploited in the wild, the potential access they present makes them attractive targets for threat actors. The firm cautions that malicious entities might attempt to reverse-engineer the patches to exploit unpatched systems.
Importance of Regular Updates and Vigilant Network Security
HPE has addressed six vulnerabilities, notably CVE-2024-42509 and CVE-2024-47460, both critical issues. In addition, they’ve fixed CVE-2024-47461, an authenticated remote command execution flaw, and CVE-2024-47462 and CVE-2024-47463, both related to arbitrary file creation. CVE-2024-47464, a path traversal vulnerability, allows unauthorized file access. Although these are less severe than the command injection flaws, they still pose significant risks to network security and demand immediate action.
To mitigate these threats, HPE advises users to restrict access to CLI and web-based management interfaces by placing them in a dedicated VLAN. Implementing firewall policies at layer 3 and above can also add an extra security layer. Arctic Wolf, a security firm, pointed out that while Aruba Networking Access Points haven’t been exploited in the wild yet, their potential access makes them appealing to threat actors. They warn that malicious parties might attempt to reverse-engineer the patches, targeting systems that haven’t yet been updated.