Multiple critical vulnerabilities have been identified in HPE Aruba Access Points, affecting both Instant AOS-8 and AOS-10 versions. These vulnerabilities, discovered by cybersecurity researchers, pose a significant risk to organizations using these devices. They allow attackers to remotely execute arbitrary code, potentially compromising the underlying operating system of affected devices. Among the most severe vulnerabilities are command injection flaws, which allow attackers to inject malicious commands into the system, granting them privileged access. These vulnerabilities are tracked under CVEs CVE-2024-42509, CVE-2024-47460, and CVE-2024-47461, with CVE-2024-42509 being particularly dangerous as it can be exploited by unauthenticated attackers.
The most critical of these flaws, CVE-2024-42509, allows unauthenticated attackers to execute arbitrary code by sending specially crafted packets to the device’s management protocol (PAPI), opening the door to full system compromise. A similar vulnerability, CVE-2024-47460, involves command injection but requires slightly more effort to exploit. Though more complex, both vulnerabilities share the potential to compromise devices remotely without requiring prior authentication, making them particularly dangerous for organizations using vulnerable systems.
Another critical vulnerability, CVE-2024-47461, requires authentication but still allows attackers to execute arbitrary commands on the system, leading to a full compromise. In addition, CVEs CVE-2024-47462 and CVE-2024-47463, which allow authenticated attackers to create arbitrary files, can also lead to remote code execution, further escalating the severity of the situation. The final vulnerability, CVE-2024-47464, is a medium-severity path traversal issue that allows attackers to access unauthorized files on the device. While not as critical as the others, this flaw can still lead to potential data exposure.
To mitigate these risks, HPE Aruba has recommended several workarounds, such as enabling security measures like cluster security on Instant AOS-8 devices and blocking access to certain UDP ports for AOS-10 devices. Additionally, restricting access to management interfaces through VLAN segmentation or firewall policies is advised for all affected systems. Organizations are strongly encouraged to update to the latest software versions to ensure they are protected from these vulnerabilities. HPE Aruba Networking has acknowledged the flaws and is working to address them with additional security patches.