HPE Aruba Networking has released a critical security advisory highlighting several vulnerabilities in their Access Points using Instant AOS-8 and AOS-10 software. These flaws, tracked as CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507, may enable unauthenticated remote code execution, presenting a serious risk to network security.
Impacted Products and Software Versions
HPE Aruba Networking has issued a critical security advisory detailing multiple vulnerabilities in specific models of Aruba Access Points running Instant AOS-8 and AOS-10 software. The affected versions include:
- AOS-10.6.x.x: Versions 10.6.0.2 and earlier
- AOS-10.4.x.x: Versions 10.4.1.3 and earlier
- Instant AOS-8.12.x.x: Versions 8.12.0.1 and earlier
- Instant AOS-8.10.x.x: Versions 8.10.0.13 and earlier
Additionally, certain End of Support Life (EoSL) versions are also affected but will not receive updates due to their status.
Notably, HPE Aruba Networking Mobility Conductors, Mobility Controllers, SD-WAN Gateways, and Instant On products are not impacted.
These vulnerabilities, identified as CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507, involve unauthenticated command injection via the CLI service, accessed through the PAPI protocol. Successful exploitation could result in arbitrary code execution with elevated privileges on the system. With a CVSSv3.x score of 9.8, the vulnerabilities are classified as critical.
To mitigate the risk for devices running Instant AOS-8.x, enabling cluster security using the cluster-security command is recommended. For AOS-10 devices, it is advised to block access to UDP port 8211 from untrusted networks.
HPE Aruba Networking strongly urges upgrading affected Access Points to the following software versions or later:
- AOS-10.7.x.x: Version 10.7.0.0 or above
- AOS-10.6.x.x: Version 10.6.0.3 or above
- AOS-10.4.x.x: Version 10.4.1.4 or above
- Instant AOS-8.12.x.x: Version 8.12.0.2 or above
- Instant AOS-8.10.x.x: Version 8.10.0.14 or above
Updated software is available for download from the HPE Networking Support Portal.
These vulnerabilities were discovered and reported by Erik De Jong through HPE Aruba Networking’s bug bounty program. As of the advisory’s release, no public exploit code or widespread discussion targeting these vulnerabilities has been reported. Users are advised to promptly upgrade their systems to the recommended versions to protect against these critical security issues.