Aruba Networks, a subsidiary of Hewlett Packard Enterprise, has recently released a security advisory to inform its customers about six critical-severity vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system. The affected devices include Aruba Mobility Conductor, Aruba Mobility Controllers, and Aruba-managed WLAN Gateways and SD-WAN Gateways.
The critical flaws addressed by Aruba Networks can be separated into two categories: command injection flaws and stack-based buffer overflow problems in the PAPI protocol. The command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750, with a CVSS v3 rating of 9.8 out of 10.0. An unauthenticated, remote attacker can leverage them by sending specially crafted packets to the PAPI over UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS.
The stack-based buffer overflow bugs are tracked as CVE-2023-22751 and CVE-2023-22752 and also have a CVSS v3 rating of 9.8. These flaws are exploitable by sending specially crafted packets to the PAPI over UDP port 8211, allowing unauthenticated, remote attackers to run arbitrary code as privileged users on ArubaOS.
The impact of these vulnerabilities is significant, as ArubaOS is a popular network operating system used by many enterprises. The affected versions are ArubaOS 8.6.0.19 and below, ArubaOS 8.10.0.4 and below, ArubaOS 10.3.1.0 and below, and SD-WAN 8.7.0.0-2.3.0.8 and below.
Aruba has advised users to upgrade to the target upgrade versions to mitigate the vulnerabilities. The target versions for the different systems are as follows:
ArubaOS 8.10.0.5 and above
ArubaOS 8.11.0.0 and above
ArubaOS 10.3.1.1 and above
SD-WAN 8.7.0.0-2.3.0.9 and above
However, it is important to note that several product versions that have reached End of Life (EoL) are also affected by these vulnerabilities and will not receive a fixing update. These include ArubaOS 6.5.4.x, ArubaOS 8.7.x.x, ArubaOS 8.8.x.x, ArubaOS 8.9.x.x, and SD-WAN 8.6.0.4-2.2.x.x. System administrators who cannot apply the security updates or are using EoL devices can enable the “Enhanced PAPI Security” mode using a non-default key as a workaround.
It is also worth noting that applying the mitigations does not address another 15 high-severity and eight medium-severity vulnerabilities listed in Aruba’s security advisory, which are fixed by the new versions.
Aruba has stated that it is unaware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory, February 28, 2022. However, given the severity of the vulnerabilities, it is important for enterprises to take prompt action to upgrade their systems or implement the recommended mitigations to avoid potential attacks that could lead to data breaches and other security incidents.
Despite the recent security advisory, Aruba Networks remains a leading provider of cutting-edge networking products and services that are designed to meet the unique needs of today’s businesses. Let’s explore some of their key products with ArubaOS.
HPE JZ320A – Aruba AP303 Access Point
JZ320A is the Aruba AP-303 (RW) Dual 2×2:2 MU-MIMO Radio Internal Antennas Unified Campus AP. The affordable mid-range Aruba 303 Series campus access point delivers high performance 802.11ac with MU-MIMO (Wave 2) for medium density enterprise environments. With the integrated BLE and supporting 802.3af power, the Aruba 303 Series AP enables enterprises to improve their work efficiency and productivity with the lowest TCO.
HPE Q9H57A – Aruba AP514 Access Point
The 510 series uses 802.11ax features to efficiently and simultaneously serve multiple clients and traffic types in dense environments, increasing data rates for both individual device and overall system.
JW743A – HPE Aruba 7200 Series Controllers
JL376A Switch
