Pierluigi Paganini May 02, 2024

HPE Aruba Networking addressed four critical remote code execution vulnerabilities impacting its ArubaOS network operating system.

HPE Aruba Networking released April 2024 security updates that addressed four critical remote code execution (RCE) vulnerabilities affecting multiple versions of the network operating system ArubaOS.

The four vulnerabilities are unauthenticated buffer overflow issues that could be exploited to remotely execute arbitrary code.

The four critical RCE vulnerabilities are: 

• CVE-2024-26305 – Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol. The exploitation of the issue could result in unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). An attacker can trigger the issue to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-26304 – Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol. The exploitation of the issue could result in unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). An attacker can trigger the issue to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-33511 – Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol. An unauthenticated remote attacker can achieve code execution by sending specially crafted packets to the PAPI UDP port (8211). Successful exploitation allows to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-33512 – Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol. The exploitation of the flaw can allow unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). Successfully exploiting this vulnerability allows executing arbitrary code as a privileged user on the underlying operating system.

Below is the list of impacted products and software versions:

HPE Aruba Networking 
  - Mobility Conductor (formerly Mobility Master) 
  - Mobility Controllers 
  - WLAN Gateways and SD-WAN Gateways managed by Aruba Central 
  
Affected Software Versions: 
  - ArubaOS 10.5.x.x:       10.5.1.0 and below 
  - ArubaOS 10.4.x.x:       10.4.1.0 and below 
  - ArubaOS 8.11.x.x:       8.11.2.1 and below 
  - ArubaOS 8.10.x.x:       8.10.0.10 and below 
  
The following ArubaOS and SD-WAN software versions that are End 
of Maintenance are affected by these vulnerabilities and are not 
patched by this advisory: 
  - ArubaOS 10.3.x.x:          all 
  - ArubaOS 8.9.x.x:           all 
  - ArubaOS 8.8.x.x:           all 
  - ArubaOS 8.7.x.x:           all 
  - ArubaOS 8.6.x.x:           all 
  - ArubaOS 6.5.4.x:           all 
  - SD-WAN 8.7.0.0-2.3.0.x:    all 
  - SD-WAN 8.6.0.4-2.2.x.x:    all 

HPE Aruba Networking suggests enabling the Enhanced PAPI Security feature with a non-default key to mitigate the vulnerabilities. This mitigation works in ArubaOS 8.x, however, for ArubaOS 10.x, this vulnerability does not apply. Upgrading to one of the recommended ArubaOS 10.x versions will address the other vulnerabilities mentioned in the advisory.

At the time of this publishing, the vendor is not aware of attacks in the wild exploiting one of the flaws addressed by the April 2024 security updates.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, HPE Aruba)