
Aruba Networks fixes six significant vulnerabilities in ArubaOS
Aruba Networks released a stability advisory to advise shoppers about 6 critical-severity vulnerabilities impacting many variations of ArubaOS, its proprietary network working system.
The flaws effect Aruba Mobility Conductor, Aruba Mobility Controllers, and Aruba-managed WLAN Gateways and SD-WAN Gateways.
Aruba Networks is a California-based mostly subsidiary of Hewlett Packard Business, specializing in personal computer networking and wi-fi connectivity methods.
The significant flaws tackled by Aruba this time can be separated into two types: command injection flaws and stack-based buffer overflow problems in the PAPI protocol (Aruba Networks accessibility level administration protocol).
All flaws have been found out by stability analyst Erik de Jong, who noted them to the vendor by means of the official bug bounty program.
The command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750, with a CVSS v3 ranking of 9.8 out of 10..
An unauthenticated, distant attacker can leverage them by sending specifically crafted packets to the PAPI about UDP port 8211, resulting in arbitrary code execution as a privileged person on ArubaOS.
The stack-based mostly buffer overflow bugs are tracked as CVE-2023-22751 and CVE-2023-22752, and also have a CVSS v3 ranking of 9.8.
These flaws are exploitable by sending specially crafted packets to the PAPI in excess of UDP port 8211, letting unauthenticated, distant attackers to run arbitrary code as privileged buyers on ArubaOS.
The impacted variations are:
- ArubaOS 8.6..19 and underneath
- ArubaOS 8.10..4 and underneath
- ArubaOS 10.3.1. and down below
- SD-WAN 8.7..-2.3..8 and below
The focus on update variations, in accordance to Aruba, really should be:
- ArubaOS 8.10..5 and higher than
- ArubaOS 8.11.. and above
- ArubaOS 10.3.1.1 and above
- SD-WAN 8.7..-2.3..9 and above
Sadly, many product versions that have reached Close of Everyday living (EoL) are also influenced by these vulnerabilities and will not acquire a repairing update. These are:
- ArubaOS 6.5.4.x
- ArubaOS 8.7.x.x
- ArubaOS 8.8.x.x
- ArubaOS 8.9.x.x
- SD-WAN 8.6..4-2.2.x.x
A workaround for system directors who can not apply the safety updates or are working with EoL equipment is to allow the “Enhanced PAPI Security” method working with a non-default key.
However, applying the mitigations does not deal with another 15 large-severity and 8 medium-severity vulnerabilities detailed in Aruba’s safety advisory, which are set by the new variations.
Aruba states that it is unaware of any public dialogue, exploit code, or energetic exploitation of these vulnerabilities as of the launch day of the advisory, February 28, 2022.