Aruba Networks has issued a security advisory addressing six critical vulnerabilities that exist in various versions of its proprietary operating system – ArubaOS.
Aruba Networks, formerly known as Aruba Wireless Networks, is a Santa Clara, California-based wireless networking subsidiary of Hewlett Packard Enterprise company.
critical flaw in ArubaOS
The critical flaws facing Aruba this time around can be divided into two categories: command injection flaws and stack-based buffer overflow issues in the Aruba Networks access point management protocol (PAPI).
Security analyst Erik de Jong discovered all the flaws and notified the vendor through the official bug bounty program.
The command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750, with a CVSS v3 score of 9,8 out of 10.An unauthenticated, remote attacker can exploit them by sending specially crafted packets to PAPI over UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS.
- ArubaOS 184.108.40.206 and below
- ArubaOS 220.127.116.11 and below
- ArubaOS 10.3.1.0 and below
- SD-WAN 18.104.22.168-22.214.171.124 and below
Unfortunately, some end-of-life product versions (Eol) have been affected by these security issues and they will not receive any correction. Specifically:
- ArubaOS 6.5.4.x
- ArubaOS 8.7.xx
- ArubaOS 8.8.xx
- ArubaOS 8.9.xx
- SD-WAN 126.96.36.199-2.2.xx
System administrators who cannot deploy the necessary security updates or use EoL devices can bypass this problem by enabling the “Enhanced PAPI Security” feature with non-default key.