- Aruba is patching multiple vulnerabilities that impact Aruba Mobility Conductor, Aruba Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.
- Successful exploitation of these vulnerabilities can allow attackers to execute arbitrary code as a privileged user.
- Aruba provided a workaround for the critical-severity vulnerabilities but urged users to update their products as soon as possible.
Aruba published an advisory to inform users about multiple critical vulnerabilities and urged them to install the patches as soon as possible. Six critical-severity vulnerabilities impact Aruba’s proprietary network operating system, ArubaOS. Vulnerabilities affect Aruba Mobility Conductor, Aruba Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.
Unauthenticated command injections
According to the advisory, multiple command injection vulnerabilities were found that can lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI UDP port. When successfully exploited, these vulnerabilities allow attackers to execute arbitrary code as a privileged user on the underlying operating system. The vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750 and have a CVSSv3 overall score of 9.8.
Aruba also patched two buffer overflow vulnerabilities, tracked as CVE-2023-22751 and CVE-2023-22752. These stack-based buffer overflow vulnerabilities could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI UDP port. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system. These vulnerabilities also have a CVSSc3 score of 9.8.
As a workaround, users may enable the Enhanced PAPI Security feature using a non-default key will prevent exploitation of this vulnerability. These vulnerabilities were discovered and reported by Erik de Jong via Aruba’s Bug Bounty Program.
Along with these vulnerabilities, Aruba also patched multiple other lover severity vulnerabilities. Aruba urged users to upgrade to the following versions:
- ArubaOS 8.10.x.x: 8.10.0.5 and above
- ArubaOS 8.11.x.x: 8.11.0.0 and above
- ArubaOS 10.3.x.x: 10.3.1.1 and above
- SD-WAN 8.7.0.0-2.3.0.x: 8.7.0.0-2.3.0.9 and above
The following ArubaOS and SD-WAN software versions that are End of Life are affected by these vulnerabilities and are not patched:
- ArubaOS 6.5.4.x: all
- ArubaOS 8.7.x.x: all
- ArubaOS 8.8.x.x: all
- ArubaOS 8.9.x.x: all
- SD-WAN 8.6.0.4-2.2.x.x: all