HPE Aruba Networking (formerly Aruba Networks) has released security updates to address critical flaws impacting ArubaOS that could result in remote code execution (RCE) on affected systems.
A. Nature of the Vulnerabilities
CVE-2024-26304 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol
CVE-2024-26305 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol
CVE-2024-33511 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol
CVE-2024-33512 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol
B. Affected Versions
The vulnerabilities, which impact Mobility Conductor (formerly Mobility Master), Mobility Controllers, and WLAN Gateways and SD-WAN Gateways managed by Aruba Central, are present in the following software versions –
- ArubaOS 10.5.1.0 and below
- ArubaOS 10.4.1.0 and below
- ArubaOS 8.11.2.1 and below
- ArubaOS 8.10.0.10 and below
They also impact the ArubaOS and SD-WAN software versions that have reached end of maintenance status –
- ArubaOS 10.3.x.x
- ArubaOS 8.9.x.x
- ArubaOS 8.8.x.x
- ArubaOS 8.7.x.x
- ArubaOS 8.6.x.x
- ArubaOS 6.5.4.x
- SD-WAN 8.7.0.0-2.3.0.x
- SD-WAN 8.6.0.4-2.2.x.x
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Kindly review and apply the necessary updates/workaround to mitigate future threats.
- For additional information, kindly refer to the official report:
- https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt