Security Advisory: Critical Vulnerabilities in Aruba Networking Access Points (CVE-2024-42509, CVE-2024-47460)

Hewlett Packard Enterprise (HPE) has recently identified and patched multiple vulnerabilities in Aruba Networking Access Points, including two critical flaws that could allow unauthenticated attackers to execute commands remotely. These vulnerabilities pose a significant risk, as Aruba Access Points are widely used in enterprise environments.

The most critical issues, CVE-2024-42509 and CVE-2024-47460, have CVSS scores of 9.8 and 9.0, respectively, highlighting the urgency to address them. We strongly advise organizations to review their systems and apply the necessary updates or mitigations as outlined below.

For HPE’s official advisory, please visit: HPE Support Center.

Critical Vulnerabilities in Aruba Networking Access Points (CVE-2024-42509, CVE-2024-47460) Technical Overview

HPE has disclosed six vulnerabilities affecting Aruba Access Points running Instant AOS-8 and AOS-10 software. These vulnerabilities are categorized as follows:

1. CVE-2024-42509 & CVE-2024-47460 (Critical, CVSS: 9.8 & 9.0)
   • Impact: Unauthenticated Command Injection via specially crafted packets sent to UDP port 8211.
   • Result: Arbitrary code execution with privileged user rights.
2. CVE-2024-47461 (High, CVSS: 7.2)
   • Impact: Authenticated remote command execution.
   • Result: Potential compromise of the operating system.
3. CVE-2024-47462 & CVE-2024-47463 (High, CVSS: 7.2)
   • Impact: Arbitrary file creation by authenticated users.
   • Result: Remote command execution risks.
4. CVE-2024-47464 (Medium, CVSS: 6.8)
   • Impact: Authenticated path traversal vulnerability.
   • Result: Unauthorized access to files.

Affected Versions:

• AOS-10.4.x.x: 10.4.1.4 and below
• Instant AOS-8.12.x.x: 8.12.0.2 and below
• Instant AOS-8.10.x.x: 8.10.0.13 and below

What We Suggest to Mitigate Critical Vulnerabilities in Aruba Networking Access Points (CVE-2024-42509, CVE-2024-47460)

1. Apply Security Updates:

• Upgrade to the latest software versions:
  • AOS-10.7.x.x: 10.7.0.0 or later
  • AOS-10.4.x.x: 10.4.1.5 or later
  • Instant AOS-8.12.x.x: 8.12.0.3 or newer
  • Instant AOS-8.10.x.x: 8.10.0.14 or above

2. Implement Workarounds (if updates are not immediately possible):

• Critical Vulnerabilities (CVE-2024-42509 & CVE-2024-47460):
  • Restrict/block access to UDP port 8211 from all untrusted networks.
• Other Vulnerabilities:
  • Place management interfaces (CLI/Web) on a dedicated VLAN or Layer 2 segment.
  • Control access via firewall policies at Layer 3 and above.

3. Monitor Network Activity:

• Regularly audit and monitor Aruba Access Points for unusual activities.