This week, Aruba Networks, a subsidiary of Hewlett Packard Enterprise (HPE), released information about ten vulnerabilities in the ArubaOS operating system, with four classified as critical. These vulnerabilities could result in the execution of arbitrary code with user privileges.
All critical vulnerabilities have a CVSS score of 9.8 and are related to buffer overflow affecting various system components. Specifically, the vulnerabilities identified are:
- CVE-2024-26305 affecting the service daemon in ArubaOS;
- CVE-2024-26304 affecting the L2/L3 management service in ArubaOS;
- CVE-2024-33511 affecting automatic reporting in ArubaOS;
- CVE-2024-33512 affecting the authentication database of local users in ArubaOS.
Although POC-Exploit code has not been released, security recommendations urge users to prioritize securing the ARuba (PAPI) UDP port, which is used to access the aforementioned components. Impacted devices include Aruba Mobility Conductors, Mobility Controllers, WLAN, and SD-WAN gateways controlled by ARuba Central.
The affected software versions that require an update include: ArubaOS 10.5.x.x: 10.5.1.0 and below; ArubaOS 10.4.x.x: 10.4.1.0 and below; ArubaOS 8.11.x.x: 8.11.2.1 and below; ArubaOS 8.10.x.x: 8.10.0.10 and below.
Vulnerable software versions that no longer receive technical support are: ArubaOS 10.3.x.x; ArubaOS 8.9.x.x; ArubaOS 8.8.x.x; ArubaOS 8.7.x.x; ArubaOS 8.