Aruba warns of critical security gaps in its own access points.
The manufacturer warns that there are critical security gaps in the firmware of the access points from the Hewlett Packard Enterprises subsidiary Aruba. Unauthenticated attackers could inject and execute malicious code with manipulated packages. Updated firmwares are available, which administrators should install quickly.
A bundle of critical security vulnerabilities are based on potential buffer overflows in several services, which can occur due to carefully crafted packets to the PAPI (Aruba Networks AP Management Protocol) service. By default, the service listens on UDP port 8211. Malicious code injected runs as a privileged user on the underlying operating system (CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, CVE-2022- 37889; CVSS 9.8risk “critical“).
In addition, users without authentication can provoke buffer overflows in the web management interface. This would allow them to run arbitrary commands in the operating system (CVE-2022-37890, CVE-2022-37891; CVSS 9.8, critical).
Other vulnerabilities include a stored cross-site scripting vulnerability. They could be used by attackers without logging in to inject arbitrary script code that runs in the browser in their context (CVE-2022-37892, CVSS 8.1, high). Denial of service attacks are possible due to a Diffie-Hellman key exchange protocol vulnerability, also known as a D(HE)ater attack (CVE-2002-20001, CVSS 7.5, high). Aruba’s security advisory lists several other security vulnerabilities in the older firmware versions.
Access points with the operating system versions are affected
- Aruba InstantOS 6.4.x: 126.96.36.199-188.8.131.52 and earlier
- Aruba InstantOS 6.5.x: 184.108.40.206 and earlier
- Aruba InstantOS 8.6.x: 220.127.116.11 and earlier
- Aruba InstantOS 8.7.x: 18.104.22.168 and earlier
- Aruba InstantOS 8.10.x: 22.214.171.124 and earlier
- ArubaOS 10.3.x: 10.3.1.0 and earlier
Aruba lists newer and updated firmware on the access point support download page. Administrators should quickly download and install the latest firmware for their device. For devices with older firmwares, it should first be checked whether they can be upgraded to a status with support. If this is not possible, IT managers should replace the old vulnerable hardware with newer devices.
Most recently, admins of Aruba switches had to take action a month ago. Otherwise, attackers could have run their own code on the vendor’s switches.