Aruba Networks Fixes Six Critical RCE Vulnerabilities Affecting ArubaOS

In a recent security advisory, Aruba Networks disclosed thirty-three vulnerabilities. Six of them were rated as critical. The vulnerabilities were discovered through a bug bounty program and affect several ArubaOS versions in Aruba Mobility Conductor, Aruba Mobility Controllers, and WLAN and SD-WAN Gateways managed by Aruba Central.

CVEs listed in the advisory can be divided into command injections and stack-based buffer overflow vulnerabilities, all of which have a CVSS score of 9.8.

Affected ArubaOS Versions

The vulnerabilities reside in Aruba Networks’ access point management control protocol, known as the PAPI protocol, and affect the following ArubaOS versions:

• ArubaOS 8.6.0.19 and below
• ArubaOS 8.10.0.4 and below
• ArubaOS 10.3.1.0 and below
• SD-WAN 8.7.0.0-2.3.0.8 and below

How Do the Vulnerabilities Affect?

The CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750 command injection vulnerabilities could allow a remote attacker to execute arbitrary code as privileged users on ArubaOS without authentication, by sending specific packets to the PAPI through UDP port 8211.

CVE-2023-22751 and CVE-2023-22752 are stack-based buffer overflow vulnerabilities, and they could also lead to remote code execution via the same exploit.

Recommendations

As of the advisory’s release date, Aruba was unaware of any public discussion, exploit code or active exploitation of these vulnerabilities. Security researchers recommended patching your products to protect against possible attack cases.

The recommended upgrade versions are listed below:

• ArubaOS 8.10.0.5 and above
• ArubaOS 8.11.0.0 and above
• ArubaOS 10.3.1.1 and above
• SD-WAN 8.7.0.0-2.3.0.9 and above

Unfortunately, some end-of-life versions are also vulnerable, and no fixing update will be available for them:

• ArubaOS 6.5.4.x
• ArubaOS 8.7.x.x
• ArubaOS 8.8.x.x
• ArubaOS 8.9.x.x
• SD-WAN 8.6.0.4-2.2.x.x

Aruba Suggests Workaround

Aruba provides an alternative solution for system administrators who cannot install security updates or use devices that have reached the end-of-life. 

They suggest restricting communication between Controller/Gateways and Access-Points by having a separate layer 2 segment/VLAN, or by setting up firewall policies to limit communication for authorized devices if the Controller/Gateways and Access-Points cross layer 3 boundaries.

You can also enable the Enhanced PAPI Security feature to protect against the aforementioned PAPI vulnerabilities. However, the workaround does not address the other high-severity and medium-severity vulnerabilities that are listed in Aruba’s security advisory.

Better Patch Vulnerabilities with SOCRadar

SOCRadar tracks all recent vulnerabilities and sends alerts if any of your digital assets encounter security threats. SOCRadar’s XTI (Extended Threat Intelligence) is aware of all security threats and will effectively assist you in managing actions to thwart these threats. It has a unique SVRS (SOCRadar Vulnerability Risk Score) that evaluates information from various resources, including social media mentions, etc.