HPE patches three critical security holes in Aruba PAPI

More 9.8 bugs? Ay, papi!

by · The Register

Aruba access points running AOS-8 and AOS-10 need to be patched urgently after HPE emitted fixes for three critical flaws in its networking subsidiary's networking access points.

The issues would allow an unauthenticated attacker to run code on Aruba's systems by sending carefully crafted packets to UDP port 8211, the operating system's Proprietary Access Protocol Interface (PAPI), which would provide that miscreant privileged access to the equipment.

The three vulnerabilities - CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507 - are all rated 9.8 out of 10 on the CVSS severity scale.

The flaws affect versions of AOS 10.6.x.x (up to and including 10.6.0.2), as well as Instant AOS 8.12.x.x (8.12.0.1 and earlier versions). HPE is also warning that end-of-life code, including AOS 10.5 and 10.3, and Instant AOS-8.11 - as well as earlier incarnations - and the advice is to upgrade these systems to get protection.

"Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in devices running Instant AOS-8.x code," HPE advised in its security alert. "For AOS-10 devices this is not an option and instead access to UDP port 8211 must be blocked from all untrusted networks."

It's not the first time PAPI has been shown to have serious problems this year. Back in May, four critical flaws in the system were fixed by Aruba after proof of concept exploit code was released, and then issued more patches less than a week later.

These patches will be of particular concern to sysadmins within the US military. Back in 2020, Aruba scored a major win by becoming the preferred supplier to the Pentagon after the military fell out with Cisco and started replacing its kit.

HPE credited the flaws' discovery to Erik de Jong, a part-time flaw finder whose day job is as a security officer for the Netherlands telco DELTA Fiber. The vulnerabilities were submitted via Bugcrowd, and he has credited his hobby to paying a chunk off his mortgage.

At the time of publication, HPE said that it had seen no evidence that the issues are being exploited in the wild. However, now that patches are out, and given their seriousness, that's likely to change. ®

Patch up – 4 critical bugs in ArubaOS lead to remote code executionTen vulnerabilities in total for admins to applyConnor Jones, 02 May 2024Aruba's AI strategy cuts the backchat, talks network automation insteadWhat's NaaS? Whatever customers need it to beSimon Sharwood, 25 Apr 2023HPE bakes LLMs into Aruba as AI inches closer to network takeoverBut don't worry, the models are here to help summarize technical docs and answer your questions ... for nowTobias Mann, 28 Mar 2024