- 219/2024
- Critical
Aruba has released security updates to fix multiple vulnerabilities affecting several HPE Aruba products.
The addressed vulnerabilities could allow the remote attacker to bypass security restrictions, perform denial of service attacks, or execute arbitrary commands and gain access to the affected products.
Sample of the addressed vulnerabilities:
1. Unauthenticated Stack-Based Buffer Overflow (RCE) in the Soft AP Daemon Service Accessed by the PAPI Protocol (CVE-2024-42393):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Unauthenticated Denial-of-Service (DoS) in the AP Certificate Management Service Accessed by the PAPI Protocol (CVE-2024-42396):
- CVSS: 5.3
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
Sample of affected products:
- ArubaOS 10.6.x.x: 10.6.0.0 and below.
- ArubaOS 10.4.x.x: 10.4.1.3 and below.
- InstantOS 8.12.x.x: 8.12.0.1 and below.
- InstantOS 8.10.x.x: 8.10.0.12 and below.
Vulnerabilities
- CVE-2023-48795
- CVE-2023-51385
- CVE-2024-42393
- CVE-2024-42394
- CVE-2024-42395
- CVE-2024-6387
- CVE-2024-42396
- CVE-2024-42397
- CVE-2024-42398
- CVE-2024-42399
- CVE-2024-42400
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.