Multiple Vulnerabilities in Aruba Products Could Allow for Arbitrary Code Execution.

Multiple vulnerabilities have been discovered in Aruba Products, the most severe of which could allow for arbitrary code execution. Aruba Mobility Conductor is an advanced WLAN deployed as a virtual machine (VM) or installed on an x86-based hardware appliance. Aruba Mobility Controller is a WLAN hardware controller in a virtualized environment managing WLAN Gateways and SD-WAN Gateways that are managed by Aruba Central.

Successful exploitation of the most severe vulnerabilities could enable arbitrary code execution within the context of the affected service account. Depending on the privileges associated with the service account, an attacker could install programs, view, change, or delete data, or create new accounts with full user rights. Service accounts that are configured with fewer user rights on the system may experience less impact compared to those operating with administrative user rights.

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Aruba OS versions prior to 10.3.1.0
  • Aruba Instant OS versions prior to 8.10.0.4
  • Aruba Instant OS versions prior to 8.6.0.19
  • Aruba Instant OS versions prior to 6.5.4.23
  • Aruba Instant OS versions prior to 6.4.4.8-4.2.4.20


    Security Officer Comments:
    Publicly accessible networking appliances increase the attack surface of an organization's network. They provide potential entry points for attackers to exploit vulnerabilities and gain unauthorized access to the network. Networking appliances, like any other software or hardware, can have vulnerabilities. If these vulnerabilities are successfully exploited by attackers, they can compromise the appliance and gain control over the network infrastructure. Depending on the privileges associated with the service account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

    Suggested Corrections:
    To fully patch the PAPI vulnerabilities disclosed above customers must upgrade to the following versions:

  • ArubaOS 10.4.x: 10.4.0.0 and above
  • Aruba InstantOS 8.11.x: 8.11.0.0 and above
  • Aruba InstantOS 8.10.x: 8.10.0.3 and above


    For those who implement the cluster-security workarounds documented in the detail sections above all other vulnerabilities except for the PAPI buffer overflow vulnerabilities are addressed by upgrading to the following versions:

  • ArubaOS 10.4.x: 10.4.0.0 and above
  • ArubaOS 10.3.x: 10.3.1.1 and above
  • Aruba InstantOS 8.10.x: 8.10.0.5 and above
  • Aruba InstantOS 8.6.x: 8.6.0.20 and above
  • Aruba InstantOS 6.5.x: 6.5.4.24 and above
  • Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.21 and above


    information about Aruba's End of Support policy visit: https://www.arubanetworks.com/support-services/end-of-life/

    Workaround:
    To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Vulnerability specific workarounds are listed per vulnerability above. Please note that this advisory contains specific workarounds and patching instructions for critical security vulnerabilities. Contact Aruba Support for any configuration assistance.

    Link(s):
    https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt