HPE Aruba Networking has issued its April 2024 security advisory detailing critical remote code execution (RCE) vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.

The advisory lists ten vulnerabilities, four of which are critical-severity (CVSS v3.1: 9.8) unauthenticated buffer overflow problems that can lead to remote code execution (RCE).

Products impacted by the newly disclosed flaws are:

• HPE Aruba Networking Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.
• ArubaOS 10.5.1.0 and below, 10.4.1.0 and older, 8.11.2.1 and below, and 8.10.0.10 and older.
• All versions of ArubaOS and SD-WAN that have reached EoL. This includes ArubaOS below 10.3, 8.9, 8.8, 8.7, 8.6, 6.5.4, and SD-WAN 2.3.0 through 8.7.0.0 and 2.2 through 8.6.0.4.

The four critical remote code execution flaws are: 

• CVE-2024-26305 – Flaw in ArubaOS’s Utility daemon allowing an unauthenticated attacker to execute arbitrary code remotely by sending specially crafted packets to the PAPI (Aruba’s access point management protocol) UDP port (8211).
• CVE-2024-26304 – Flaw in the L2/L3 Management service, permitting unauthenticated remote code execution through crafted packets sent to the PAPI UDP port.
• CVE-2024-33511 – Vulnerability in the Automatic Reporting service that can be exploited by sending specially crafted packets to the PAPI protocol port to allow unauthenticated attackers to execute arbitrary code remotely.
• CVE-2024-33512 – Flaw allowing unauthenticated remote attackers to execute code by exploiting a buffer overflow in the Local User Authentication Database service accessed via the PAPI protocol.

To mitigate the flaws the vendor recommends enabling Enhanced PAPI Security and upgrading to patched versions for ArubaOS.

The latest versions also address another six vulnerabilities, all rated “medium” in severity (CVSS v3.1: 5.3 – 5.9) which could allow unauthenticated attackers to create denial of service on vulnerable devices and cause costly operational disruptions.

The target upgrade versions that address all ten flaws are:

• ArubaOS 10.6.0.0 and above 
• ArubaOS 10.5.1.1 and above 
• ArubaOS 10.4.1.1 and above 
• ArubaOS 8.11.2.2 and above 
• ArubaOS 8.10.0.11 and above 

At this time, HPE Aruba Networking is not aware of any cases of active exploitation or the existence of proof-of-concept (PoC) exploits for the mentioned vulnerabilities.

Still, system administrators are recommended to apply the available security updates as soon as possible.