Hewlett Packard Enterprise (HPE) has issued urgent security updates to address multiple vulnerabilities in Aruba Networking Access Point products. The patches target six flaws, including two critical bugs that could allow unauthorized command execution.
Affected Products
The vulnerabilities impact Access Points running:
- AOS-10.4.x.x (version 10.4.1.4 and earlier)
- Instant AOS-8.12.x.x (version 8.12.0.2 and earlier)
- Instant AOS-8.10.x.x (version 8.10.0.13 and earlier)
Critical Vulnerabilities
The most severe flaws are:
- CVE-2024-42509 (CVSS score: 9.8)
- CVE-2024-47460 (CVSS score: 9.0)
Both are unauthenticated command injection vulnerabilities in the CLI Service. If exploited, they could lead to arbitrary code execution with privileged user access.
Additional Vulnerabilities
HPE also patched four other security issues:
- CVE-2024-47461 (CVSS score: 7.2): Authenticated remote command execution
- CVE-2024-47462 and CVE-2024-47463 (CVSS scores: 7.2): Arbitrary file creation leading to authenticated remote command execution
- CVE-2024-47464 (CVSS score: 6.8): Authenticated path traversal vulnerability allowing unauthorized file access
Mitigation Steps
For Instant AOS-8 devices:
- Enable cluster security using the cluster-security command
For AOS-10 devices:
- Block access to UDP port 8211 from untrusted networks
General recommendations:
- Restrict access to CLI and web-based management interfaces
- Place management interfaces in a dedicated VLAN
- Implement firewall policies to control access at layer 3 and above
Potential Threat
While no exploits have been reported in the wild, security experts warn that Aruba Network access points are attractive targets for threat actors. The vulnerabilities could provide privileged access, making them a high-priority concern for organizations using affected devices.
HPE urges all users to apply the security patches promptly to protect their networks from potential attacks.