Aruba Networks published a security advisory to inform customers about six critical-severity vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.
The flaws impact Aruba Mobility Conductor, Aruba Mobility Controllers, and Aruba-managed WLAN Gateways and SD-WAN Gateways.
Aruba Networks is a California-based subsidiary of Hewlett Packard Enterprise, specializing in computer networking and wireless connectivity solutions.
The critical flaws addressed by Aruba this time can be separated into two categories: command injection flaws and stack-based buffer overflow problems in the PAPI protocol (Aruba Networks access point management protocol).
All flaws were discovered by security analyst Erik de Jong, who reported them to the vendor via the official bug bounty program.
The command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750, with a CVSS v3 rating of 9.8 out of 10.0.
An unauthenticated, remote attacker can leverage them by sending specially crafted packets to the PAPI over UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS.
The stack-based buffer overflow bugs are tracked as CVE-2023-22751 and CVE-2023-22752, and also have a CVSS v3 rating of 9.8.
These flaws are exploitable by sending specially crafted packets to the PAPI over UDP port 8211, allowing unauthenticated, remote attackers to run arbitrary code as privileged users on ArubaOS.
The impacted versions are:
- ArubaOS 188.8.131.52 and below
- ArubaOS 184.108.40.206 and below
- ArubaOS 10.3.1.0 and below
- SD-WAN 220.127.116.11-18.104.22.168 and below
The target upgrade versions, according to Aruba, should be:
- ArubaOS 22.214.171.124 and above
- ArubaOS 126.96.36.199 and above
- ArubaOS 10.3.1.1 and above
- SD-WAN 188.8.131.52-184.108.40.206 and above
Unfortunately, several product versions that have reached End of Life (EoL) are also affected by these vulnerabilities and will not receive a fixing update. These are:
- ArubaOS 6.5.4.x
- ArubaOS 8.7.x.x
- ArubaOS 8.8.x.x
- ArubaOS 8.9.x.x
- SD-WAN 220.127.116.11-2.2.x.x
A workaround for system administrators who cannot apply the security updates or are using EoL devices is to enable the “Enhanced PAPI Security” mode using a non-default key.
However, applying the mitigations does not address another 15 high-severity and eight medium-severity vulnerabilities listed in , which are fixed by the new versions.
Aruba states that it is unaware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory, February 28, 2022.