- 130/2024
- Critical
Aruba has released a security update to fix multiple vulnerabilities affecting several Aruba products.
The addressed vulnerabilities could allow the unauthenticated remote attacker to perform denial of service attacks, or execute arbitrary code and gain access to the affected products.
Sample of the addressed vulnerabilities:
1. HPE ArubaOS Remote Code Execution Vulnerability (CVE-2024-26305):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. HPE ArubaOS Denial-of-Service Vulnerability (CVE-2024-33513):
- CVSS: 5.9
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
Sample of the affected products:
- PE Aruba Networking:
o Mobility Conductor (formerly Mobility Master).
o Mobility Controllers.
o WLAN Gateways and SD-WAN Gateways managed by Aruba Central. - Aruba Software Versions:
o ArubaOS 10.5.x.x to 10.5.1.0 and below.
o ArubaOS 10.4.x.x to 10.4.1.0 and below.
o ArubaOS 8.11.x.x to 8.11.2.1 and below. - o ArubaOS 8.10.x.x to 8.10.0.10 and below.
Vulnerabilities
- CVE-2024-26304
- CVE-2024-26305
- CVE-2024-33511
- CVE-2024-33512
- CVE-2024-33513
- CVE-2024-33514
- CVE-2024-33515
- CVE-2024-33516
- CVE-2024-33517
- CVE-2024-33518
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.