Protocol bug leaves Aruba access points exposed
HPE enterprise wi-fi business unit Aruba Networks has disclosed the latest round of security patches for its access points.
Eight buffer overflow vulnerabilities were found in “multiple underlying services” accessible via Aruba’s access point management protocol, PAPI, accessed through UDP port 8211.
Crafted packets sent to port 8211 could trigger the vulnerabilities, giving a remote attacker arbitrary code execution on the products’ operating system, as a privileged user.
The bugs are present in ArubaOS and InstantOS, and the company warned that not all branches of these operating systems can be patched.
“Due to the structure of these specific vulnerabilities, the only branches to receive a patch were ArubaOS 10.4.0.0 and above; InstantOS 8.11.x: 126.96.36.199 and above; and Aruba InstantOS 188.8.131.52 and above,” the company wrote.
For customers unable to upgrade to fixed branches, there are some workarounds.
In devices running InstantOS 8.x or 6.x code, admins can enable cluster security to block the exploit.
However, this is not an option for ArubaOS 10 devices; instead, UDP port 8211 must be blocked from all untrusted networks, the company said.
There’s also a high severity denial-of-service in PAPI, CVE-2023-22787, again in a service accessed using PAPI. Aruba doesn’t yet have a patch, but blocking UDP port 8821 again provides mitigation.
There are also three high-severity command injection bugs (CVE-2023-22788, CVE-2023-22789, CVE-2023-22790) in the Aruba InstantOS and ArubaOS 10 command line interface which, if exploited, provide remote code execution as a privileged user of the operating system.
The bugs were reported to Aruba by Erik de Jong and Daniel Jensen via its bug bounty program, and by Zack Colgan of ClearBearing.