Warning: Multiple vulnerabilities in Aruba products including Arbitrary Code Execution, Patch Immediately!
Sources
Aruba Networks: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt
Risks
ArubaOS and InstantOS are affected by multiple vulnerabilities including critical unauthenticated buffer overflows, that can lead to unauthenticated remote code execution. Additionally, products are affected by unauthenticated Denial of Service, authenticated Remote Code execution and sensitive Information disclosure vulnerabilities.
The vendor has patched most affected systems, but warns that there is no patch available for End-of-Life (EOL) systems. At the moment of writing, there Is no Indication of exploitation In the wild.
Description
CVE-2023-22779 and more - Unauthenticated Buffer Overflow Vulnerabilities
The vulnerabilities affect multiple underlying services accessed by the PAPI (Aruba's access point management protocol). Therefore the different CVEs created describe the same vulnerability (CVE-2023-22779, CVE-2023-22780, CVE-2023-22781, CVE-2023-22782, CVE-2023-22783, CVE-2023-22784, CVE-2023-22785, CVE-2023-22786).
By sending specially crafted packets destined to the PAPI UDP port (8211), an unauthenticated attacker can execute arbitrary code as a privileged user on the underlying operating system.
CVE-2023-22787 - Unauthenticated Denial of Service Vulnerability
The vulnerability exists in a service accessed via the PAPI protocol and results in the ability to interrupt the normal operation of the affected access point.
CVE-2023-22788 - Authenticated Remote Command Execution Vulnerabilities
By exploiting these vulnerabilities, an authenticated attacker can execute arbitrary commands as a privileged user on the underlying operating system. CVEs include: CVE-2023-22788, CVE-2023-22789, CVE-2023-22790.
CVE-2023-22791 - Sensitive Information Disclosure Vulnerability
This vulnerability is complicated to exploit as it has 3 requirements and depends on factors not controlled by the attacker. A specific network configuration and WLAN environment can lead to sensitive information disclosure via the WLAN, if the attacker already possesses valid credentials.
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends network administrators to patch the identified vulnerable products in their environment and replace any EOL products, after thorough testing. Follow the vendors instructions.
References
https://nvd.nist.gov/vuln/detail/CVE-2023-22779
https://nvd.nist.gov/vuln/detail/CVE-2023-22787
https://nvd.nist.gov/vuln/detail/CVE-2023-22788
https://nvd.nist.gov/vuln/detail/CVE-2023-22791