Warning: Several Critical Vulnerabilities In ArubaOS, Patch Immediately!
- CVE-2024-26304 – 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-26305 – 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-33511 – 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-33512 – 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-33513 – 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
- CVE-2024-33514 – 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
- CVE-2024-33515 – 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
- CVE-2024-33516 – 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
- CVE-2024-33517 – 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
- CVE-2024-33518 – 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Sources
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt
Risks
HPE Aruba Networking has released a security advisory detailing multiple critical vulnerabilities in ArubaOS, affecting several products including WLAN Gateways and SD-WAN Gateways managed by Aruba Central, Mobility Conductor and Mobility Controller.
Some of these vulnerabilities could allow unauthenticated remote attackers to execute arbitrary code or cause denial-of-service (DoS) attacks. If exploited successfully, they grant a remote attacker full control over the compromised system, paving the way for data breaches, service interruptions, or even unauthorized network access. Currently, there's no indication of any publicly available proof-of-concept or evidence of exploitation. Nevertheless, it's crucial to recognize that this vulnerability poses a substantial threat to the confidentiality, integrity, and availability of the system.
Furthermore, network devices have attracted the attention of threat actors due to their strategic position within infrastructures. Historical trends reveal that similar vulnerabilities in network devices have been exploited by Advanced Persistent Threats (APTs) and ransomware gangs to execute devastating attacks. Therefore, it's imperative for organizations to remain vigilant and promptly address any vulnerabilities in their devices to mitigate the risk of exploitation by cyber adversaries.
Description
CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, and CVE-2024-33512
These are the highest rated vulnerabilities (9.8), and they are all buffer overflow vulnerabilities in underlying services. All of these could lead to unauthenticated remote code execution if a threat actor sends specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516 and CVE-2024-33517
These are Denial-of-Service (DoS) vulnerabilities that exist in several services accessed via the PAPI protocol. Successful exploitation of these vulnerabilities results in the ability to interrupt the normal operation of the affected service.
CVE-2024-33518
This is an unauthenticated Denial of Service (DoS) vulnerability that exists in the Radio Frequency daemon via the PAPI protocol provided by ArubaOS. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the controller.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
According to the security advisory by HPE Aruba Networking, software versions with fixes, can be downloaded from the HPE Networking Support Portal. (https://networkingsupport.hpe.com/home/). Some vulnerabilities also have specific workarounds that can be found in the advisory but do mind that these workarounds don’t always apply to all versions.
In case you have a device that has reached End-of-Maintenance, no patches are available, and we recommend replacing the device.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-26305
https://nvd.nist.gov/vuln/detail/CVE-2024-26304