Aruba Networks has release patches for 14 vulnerabilities, including three critical, affecting multiple versions of ArubaOS, its proprietary network operating system. These vulnerabilities impact a wide range of Aruba access points running InstantOS and ArubaOS 10, potentially putting corporate networks at risk of remote code execution attacks.
The critical flaws, identified as CVE-2023-45614, CVE-2023-45615, and CVE-2023-45616, with a CVSS score of 9.8 categorized as buffer overflows, reside in the PAPI protocol, Aruba’s proprietary access point management protocol. Exploitation of these vulnerabilities allows an attacker to execute arbitrary code as a privileged user on the affected device, potentially gaining complete control over the network. The vulnerabilities can be triggered by sending specially crafted packets to the PAPI UDP port (8211).
The following ArubaOS and InstantOS versions are affected by these critical vulnerabilities:
- ArubaOS 10.5.x.x: 10.5.0.0 and below
- ArubaOS 10.4.x.x: 10.4.0.2 and below
- InstantOS 8.11.x.x: 188.8.131.52 and below
- InstantOS 8.10.x.x: 184.108.40.206 and below
- InstantOS 8.6.x.x: 220.127.116.11 and below
Aruba Networks has released software updates to address these vulnerabilities. The recommended target upgrade versions are:
- ArubaOS 10.5.x.x: 10.5.0.1 and above
- ArubaOS 10.4.x.x: 10.4.0.3 and above
- InstantOS 8.11.x.x: 18.104.22.168 and above
- InstantOS 8.10.x.x: 22.214.171.124 and above
- InstantOS 8.6.x.x: 126.96.36.199 and above
Affected users must upgrade their ArubaOS or InstantOS installations to the latest versions immediately to mitigate the risk of exploitation.
Several versions of ArubaOS and InstantOS that have reached their End of Life are also affected and will not receive updates to rectify these vulnerabilities. These include:
- ArubaOS 10.3.x.x: all
- InstantOS 8.9.x.x: all
- InstantOS 8.8.x.x: all
- InstantOS 8.7.x.x: all
- InstantOS 8.5.x.x: all
- InstantOS 8.4.x.x: all
- InstantOS 6.5.x.x: all
- InstantOS 6.4.x.x: all
Aruba Networks has stated that it is unaware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory. However, users need to remain vigilant and apply the available security updates promptly to minimize the risk of future attacks.