- 75/2024
- High
Aruba has released a security update to fix multiple vulnerabilities affecting HPE Aruba OS.
The addressed vulnerabilities could allow the remote attacker to obtain sensitive information, perform denial of service attacks, or execute arbitrary commands and gain access to the affected products.
Sample of the addressed vulnerabilities:
1. Authenticated Remote Command Execution in the ArubaOS Command Line Interface (CVE-2024-1356):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
2. Authenticated Arbitrary File Deletion in ArubaOS CLI (CVE-2024-25614):
- CVSS: 5.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Denial of Service
Affected Software Versions:
- ArubaOS 10.5.0.1 and below.
- ArubaOS 10.4.0.3 and below.
- ArubaOS 8.11.2.0 and below.
- ArubaOS 8.10.0.9 and below.
It should be highlighted that, the following ArubaOS and SD-WAN software versions are End of Maintenance and not patched by this advisory:
- ArubaOS 10.3.x.x.
- ArubaOS 8.9.x.x.
- ArubaOS 8.8.x.x.
- ArubaOS 8.7.x.x.
- ArubaOS 8.6.x.x.
- ArubaOS 6.5.4.x.
- SD-WAN 8.7.0.0-2.3.0.x.
- SD-WAN 8.6.0.4-2.2.x.x.
Vulnerabilities
- CVE-2024-1356
- CVE-2024-25611
- CVE-2024-25612
- CVE-2024-25613
- CVE-2024-25614
- CVE-2024-25615
- CVE-2024-25616
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.