www.belgium.be Logo of the federal government

WARNING: MULTIPLE VULNERABILITIES IN HPE ARUBA NETWORKING ACCESS POINTS CAN BE EXPLOITED TO PERFORM REMOTE CODE EXECUTION. PATCH IMMEDIATELY!

Référence: 
Advisory #2024-259
Version: 
1.0
Logiciels concernés : 
HPE Aruba Networking - Access Points running Instant AOS-8 and AOS-10
Type: 
Remote code execution
CVE/CVSS: 

CVE-2024-42509: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-47460: CVSS 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-47461: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-47462: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-47463: CVSS7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-47464: CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)

Sources

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04722en_us&docLocale=en_US

Risques

On 5 November 2024, Hewlett Packard published an advisory addressing 6 vulnerabilities in HPE Aruba Networking Access Points. Attackers could exploit 3 of these vulnerabilities to perform remote code execution.

HPE Aruba Networking Access Points are devices found across the globe.

There is no information as to active exploitation currently (cut-off date: 8 November 2024).

Exploitation of these vulnerabilities can have a high impact on confidentiality, integrity and availability.

Description

CVE-2024-42509 is a critical command injection vulnerability in the underlying CLI service. An attacker could exploit it to perform unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability could result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVE-2024-47460 is a command injection vulnerability in the underlying CLI service. An attacker could exploit it to perform unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability could result in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CVE-2024-47461 is an authenticated command injection vulnerability. A successful exploitation of this vulnerability could result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This could allow an attacker to fully compromise the underlying host operating system.

CVE-2024-47462 and CVE-2024-47463 are arbitrary file creation vulnerabilities. Successful exploitation of this vulnerability could allow an authenticated remote attacker to create arbitrary files, which could lead to a remote command execution (RCE) on the underlying operating system.

CVE-2024-47464 is an authenticated Path Traversal vulnerability. Successful exploitation of this vulnerability could allow an attacker to copy arbitrary files to a user readable location from the command line interface of the underlying operating system, which could lead to a remote unauthorized access to files.

Actions recommandées

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Hewlett Packard patched the vulnerabilities in the following versions:

  • AOS-10.7.x.x: 10.7.0.0 and above
  • AOS-10.4.x.x: 10.4.1.5 and above
  • Instant AOS-8.12.x.x: 8.12.0.3 and above
  • Instant AOS-8.10.x.x: 8.10.0.14 and above

Please note that these vulnerabilities affect some software versions which are End of Maintenance and for which there are no patches available:

  • AOS-10.6.x.x: all
  • AOS-10.5.x.x: all
  • AOS-10.3.x.x: all
  • Instant AOS-8.11.x.x: all
  • Instant AOS-8.9.x.x: all
  • Instant AOS-8.8.x.x: all
  • Instant AOS-8.7.x.x: all
  • Instant AOS-8.6.x.x: all
  • Instant AOS-8.5.x.x: all
  • Instant AOS-8.4.x.x: all
  • Instant AOS-6.5.x.x: all
  • Instant AOS-6.4.x.x: all

Mitigate(Workaround)

  • For CVE- CVE-2024-42509 and CVE-2024-47460, Hewlett Packard recommends enabling cluster security via the cluster-security command will prevent this vulnerability from being exploited in devices running Instant AOS-8 code. For AOS-10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks.
  • For CVE-2024-47462 and CVE-2024-47463, Hewlett Packard recommends the CLI, and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above to minimize the likelihood of exploitation.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

Références

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04722en_us&docLocale=en_US