Aruba Networks Fixes Six Critical RCE Vulnerabilities Affecting ArubaOS
In a recent security advisory, Aruba Networks disclosed thirty-three vulnerabilities. Six of them were rated as critical. The vulnerabilities were discovered through a bug bounty program and affect several ArubaOS versions in Aruba Mobility Conductor, Aruba Mobility Controllers, and WLAN and SD-WAN Gateways managed by Aruba Central.
CVEs listed in the advisory can be divided into command injections and stack-based buffer overflow vulnerabilities, all of which have a CVSS score of 9.8.
Affected ArubaOS Versions
The vulnerabilities reside in Aruba Networks’ access point management control protocol, known as the PAPI protocol, and affect the following ArubaOS versions:
- ArubaOS 18.104.22.168 and below
- ArubaOS 22.214.171.124 and below
- ArubaOS 10.3.1.0 and below
- SD-WAN 126.96.36.199-188.8.131.52 and below
How Do the Vulnerabilities Affect?
The CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750 command injection vulnerabilities could allow a remote attacker to execute arbitrary code as privileged users on ArubaOS without authentication, by sending specific packets to the PAPI through UDP port 8211.
As of the advisory’s release date, Aruba was unaware of any public discussion, exploit code or active exploitation of these vulnerabilities. Security researchers recommended patching your products to protect against possible attack cases.
The recommended upgrade versions are listed below:
- ArubaOS 184.108.40.206 and above
- ArubaOS 220.127.116.11 and above
- ArubaOS 10.3.1.1 and above
- SD-WAN 18.104.22.168-22.214.171.124 and above
Unfortunately, some end-of-life versions are also vulnerable, and no fixing update will be available for them:
- ArubaOS 6.5.4.x
- ArubaOS 8.7.x.x
- ArubaOS 8.8.x.x
- ArubaOS 8.9.x.x
- SD-WAN 126.96.36.199-2.2.x.x
Aruba Suggests Workaround
Aruba provides an alternative solution for system administrators who cannot install security updates or use devices that have reached the end-of-life.
They suggest restricting communication between Controller/Gateways and Access-Points by having a separate layer 2 segment/VLAN, or by setting up firewall policies to limit communication for authorized devices if the Controller/Gateways and Access-Points cross layer 3 boundaries.
You can also enable the Enhanced PAPI Security feature to protect against the aforementioned PAPI vulnerabilities. However, the workaround does not address the other high-severity and medium-severity vulnerabilities that are listed in Aruba’s security advisory.
Better Patch Vulnerabilities with SOCRadar
SOCRadar tracks all recent vulnerabilities and sends alerts if any of your digital assets encounter security threats. SOCRadar’s XTI (Extended Threat Intelligence) is aware of all security threats and will effectively assist you in managing actions to thwart these threats. It has a unique SVRS (SOCRadar Vulnerability Risk Score) that evaluates information from various resources, including social media mentions, etc.