Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: MULTIPLE VULNERABILITIES IN HPE ARUBA NETWORKING ACCESS POINTS CAN BE EXPLOITED TO PERFORM REMOTE CODE EXECUTION. PATCH IMMEDIATELY!
Image
Published : 08/11/2024
Reference:
Advisory #2024-259
Version:
1.0
Affected software:
HPE Aruba Networking - Access Points running Instant AOS-8 and AOS-10
Type:
Remote code execution
CVE/CVSS:
CVE-2024-42509: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-47460: CVSS 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVE-2024-47461: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-47462: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-47463: CVSS7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-47464: CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)
Sources
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04722en_us&docLocale=en_US
Risks
On 5 November 2024, Hewlett Packard published an advisory addressing 6 vulnerabilities in HPE Aruba Networking Access Points. Attackers could exploit 3 of these vulnerabilities to perform remote code execution.
HPE Aruba Networking Access Points are devices found across the globe.
There is no information as to active exploitation currently (cut-off date: 8 November 2024).
Exploitation of these vulnerabilities can have a high impact on confidentiality, integrity and availability.
Description
CVE-2024-42509 is a critical command injection vulnerability in the underlying CLI service. An attacker could exploit it to perform unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability could result in the ability to execute arbitrary code as a privileged user on the underlying operating system.
CVE-2024-47460 is a command injection vulnerability in the underlying CLI service. An attacker could exploit it to perform unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability could result in the ability to execute arbitrary code as a privileged user on the underlying operating system.
CVE-2024-47461 is an authenticated command injection vulnerability. A successful exploitation of this vulnerability could result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This could allow an attacker to fully compromise the underlying host operating system.
CVE-2024-47462 and CVE-2024-47463 are arbitrary file creation vulnerabilities. Successful exploitation of this vulnerability could allow an authenticated remote attacker to create arbitrary files, which could lead to a remote command execution (RCE) on the underlying operating system.
CVE-2024-47464 is an authenticated Path Traversal vulnerability. Successful exploitation of this vulnerability could allow an attacker to copy arbitrary files to a user readable location from the command line interface of the underlying operating system, which could lead to a remote unauthorized access to files.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Hewlett Packard patched the vulnerabilities in the following versions:
- AOS-10.7.x.x: 10.7.0.0 and above
- AOS-10.4.x.x: 10.4.1.5 and above
- Instant AOS-8.12.x.x: 8.12.0.3 and above
- Instant AOS-8.10.x.x: 8.10.0.14 and above
Please note that these vulnerabilities affect some software versions which are End of Maintenance and for which there are no patches available:
- AOS-10.6.x.x: all
- AOS-10.5.x.x: all
- AOS-10.3.x.x: all
- Instant AOS-8.11.x.x: all
- Instant AOS-8.9.x.x: all
- Instant AOS-8.8.x.x: all
- Instant AOS-8.7.x.x: all
- Instant AOS-8.6.x.x: all
- Instant AOS-8.5.x.x: all
- Instant AOS-8.4.x.x: all
- Instant AOS-6.5.x.x: all
- Instant AOS-6.4.x.x: all
Mitigate(Workaround)
- For CVE- CVE-2024-42509 and CVE-2024-47460, Hewlett Packard recommends enabling cluster security via the cluster-security command will prevent this vulnerability from being exploited in devices running Instant AOS-8 code. For AOS-10 devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks.
- For CVE-2024-47462 and CVE-2024-47463, Hewlett Packard recommends the CLI, and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above to minimize the likelihood of exploitation.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04722en_us&docLocale=en_US