Security Bulletin: Multiple ArubaOS Vulnerabilities

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

ArubaOS Command Injection and Remote Code Execution Vulnerability  

Identifier: CVE-2024-42505
CVSS Score: 9.8 (Critical)  
Update Guide: Visit the Aruba Support Portal for detailed instructions on patching and updates. 

Description: CVE-2024-42505 is a critical vulnerability in ArubaOS, affecting certain versions of wireless controllers and access points. This flaw allows for command injection through the PAPI (Aruba's Access Point management protocol), which runs on UDP port 8211. If exploited, an unauthenticated attacker can remotely execute arbitrary code on the system, potentially leading to a full compromise of the affected device and associated networks.

Affected Versions:

• AOS-10.6.x.x: Versions 10.6.0.2 and below.
• AOS-10.4.x.x: Versions 10.4.1.3 and below.
• Instant AOS-8.12.x.x: Versions 8.12.0.1 and below.
• Instant AOS-8.10.x.x: Versions 8.10.0.13 and below.

Note: Some versions have reached End of Support Life (EoSL), such as AOS-10.5.x.x and Instant AOS-8.11.x.x, and are not covered by this advisory. It is strongly recommended to upgrade to a supported version.

 Mitigation and Patching Instructions: 

1. Download the Patch: 
Aruba Networks has released updates to mitigate CVE-2024-42505. To secure your devices:

• Visit the Aruba Support Portal and log in to access the download section for patches.
• Search for the specific software update corresponding to your affected version.

2. Apply Specific Patch Versions:
To address CVE-2024-42505, upgrade to the following versions or higher:

• AOS-10.7.x.x: Upgrade to version 10.7.0.0 and above.
• AOS-10.6.x.x: Upgrade to version 10.6.0.3 and above.
• AOS-10.4.x.x: Upgrade to version 10.4.1.4 and above.
• Instant AOS-8.12.x.x: Upgrade to version 8.12.0.2 and above.
• Instant AOS-8.10.x.x: Upgrade to version 8.10.0.14 and above.

3. Enable Cluster Security (for Instant AOS-8 Devices):

• Run the `cluster-security` command to enable security features that block exploitation of the vulnerability.
  

4. Block PAPI Port for AOS-10 Devices:
After applying the patch:

• Since "cluster-security" is unavailable for AOS-10 devices, block access to UDP port 8211 from untrusted networks to prevent remote exploitation.

5. Verify Patch Deployment: 

• After applying the patch, verify that the device version matches the patched version.
• Monitor device behavior to ensure normal operations and check for any signs of abnormal activity or attempts to exploit the vulnerability.

Further Details: For more technical details on the vulnerability, you can refer to the National Vulnerability Database entry for CVE-2024-42505. Immediate action is recommended due to the severity and potential impact of this vulnerability on network security.

ArubaOS Privilege Escalation Vulnerability  

Identifier:  CVE-2024-42506  
CVSS Score: 8.8 (High)     
Update Guide: Visit the Aruba Support Portal for patches and further guidance on mitigating this vulnerability.

Description: CVE-2024-42506 is a high-severity vulnerability within ArubaOS, which affects certain Aruba wireless controllers and access points. This vulnerability arises due to improper access control mechanisms within certain API endpoints. Attackers who have limited access can exploit this flaw to escalate their privileges, potentially allowing them to execute arbitrary commands or modify configurations on the affected device.

Affected Versions:

• AOS-10.6.x.x: Versions 10.6.0.2 and below.
• AOS-10.4.x.x: Versions 10.4.1.3 and below.
• Instant AOS-8.12.x.x: Versions 8.12.0.1 and below.
• Instant AOS-8.10.x.x: Versions 8.10.0.13 and below.

Note: Some versions of ArubaOS have reached End of Support Life (EoSL), such as AOS-10.5.x.x and Instant AOS-8.11.x.x. Users running these versions are strongly advised to upgrade to a supported version immediately.

Mitigation and Patching Instructions: 

1. Download the Patch: 
Aruba Networks has released software updates to mitigate CVE-2024-42506. To secure your devices:

• Visit the Aruba Support Portal and log in to access the patch download section.
• Locate the correct software update for your affected version.

2. Apply the Appropriate Patch Version:  

To address CVE-2024-42506, Aruba recommends upgrading to the following versions or later:

• AOS-10.7.x.x: Upgrade to version 10.7.0.0 or above.
• AOS-10.6.x.x: Upgrade to version 10.6.0.3 or above.
• AOS-10.4.x.x: Upgrade to version 10.4.1.4 or above.
• Instant AOS-8.12.x.x: Upgrade to version 8.12.0.2 or above.
• Instant AOS-8.10.x.x: Upgrade to version 8.10.0.14 or above.

3. Verification of the Patch:  

• Once the patch has been applied, confirm the system version to ensure that it matches the patched release.
• Monitor the system post-update to confirm that it is functioning correctly without any anomalies.

4. Post-Patch Security Measures:
After applying the patch:

• Conduct security audits and monitor logs for any unusual activities or attempts to exploit the vulnerability before the patch was applied.
• Regularly check for any further updates or advisories from Aruba Networks.

Further Details: For detailed technical information on CVE-2024-42506, please refer to the National Vulnerability Database entry: CVE-2024-42506. Immediate patching is strongly advised to prevent any potential exploitation and to maintain the integrity and security of the Aruba network devices.

ArubaOS Unauthorized Access Vulnerability   

Identifier:  CVE-2024-42507  
CVSS Score: 9.4 (Critical)        
Update Guide: Visit the Aruba Support Portal for downloading patches and further details on remediation. 

Description: CVE-2024-42507 is a critical vulnerability affecting ArubaOS, which is present in specific versions of wireless controllers and access points. This flaw allows unauthenticated attackers to bypass security controls by sending specially crafted network packets, which could lead to unauthorized access to sensitive system functions and potentially result in a compromise of the device and network security.

Affected Versions:

• AOS-10.6.x.x: Versions 10.6.0.2 and below.
• AOS-10.4.x.x: Versions 10.4.1.3 and below.
• Instant AOS-8.12.x.x: Versions 8.12.0.1 and below.
• Instant AOS-8.10.x.x: Versions 8.10.0.13 and below.

Note: Several versions of ArubaOS have reached End of Support Life (EoSL), such as AOS-10.5.x.x and Instant AOS-8.11.x.x. It is strongly advised for users on these versions to upgrade immediately to a supported version.

Mitigation and Patching Instructions: 

1. Download the Patch: 
Aruba Networks has provided patches to mitigate CVE-2024-42507. To secure your devices:

• Access the Aruba Support Portal and log in to locate the appropriate patch.
• Search for the version-specific updates for the affected ArubaOS devices.

2. Apply the Appropriate Patch Version:  
To address this vulnerability, update your systems to one of the following patched versions:

• AOS-10.7.x.x: Upgrade to version 10.7.0.0 or above.
• AOS-10.6.x.x: Upgrade to version 10.6.0.3 or above.
• AOS-10.4.x.x: Upgrade to version 10.4.1.4 or above.
• Instant AOS-8.12.x.x: Upgrade to version 8.12.0.2 or above.
• Instant AOS-8.10.x.x: Upgrade to version 8.10.0.14 or above.

3. Verification of the Patch:  

• After applying the patches, confirm that the device firmware version matches the patched release.
• Test your system to ensure that all functions are operating as expected.

4. Ongoing Security Measures:   

• Perform security audits to detect any suspicious activities or exploitation attempts before patching.
• Keep the firmware updated by regularly checking for any new advisories from Aruba Networks.

Further Details: For more technical details on CVE-2024-42507, you can refer to the National Vulnerability Database entry: CVE-2024-42507. Aruba Networks recommends that all users of affected devices apply patches promptly to prevent any potential exploitation and to secure the integrity of their network environments.