HPE Aruba has released security updates to address multiple critical vulnerabilities in its Aruba Access Points running InstantOS and ArubaOS 10 that could potentially allow unauthorized remote attackers to execute arbitrary code and take control of affected systems.
The most severe vulnerabilities tracked as CVE-2024-42393, CVE-2024-42394, and CVE-2024-42395, all with a CVSS score of 9.8 reside in the Soft AP Daemon Service and AP Certificate Management Service. Successful exploitation of these flaws could enable attackers to remotely execute commands on the underlying operating system, leading to a complete system compromise.
HPE Aruba Networking strongly recommends that customers upgrade their Access Points to the latest software versions to mitigate these risks. Specific patches and updated versions are available for InstantOS 8.12.x.x, InstantOS 8.10.x.x, ArubaOS 10.6.x.x, and ArubaOS 10.4.x.x.
Customers running end-of-maintenance software versions are particularly vulnerable, as these versions are not covered by the security advisory. HPE Aruba Networking urges users of these older versions to migrate to supported branches as soon as possible.
HPE Aruba Networking has also provided workarounds for some vulnerabilities.
- Enabling cluster security or blocking access to specific ports from untrusted networks.
- Restricting access to CLI and web-based management interfaces to a dedicated network segment or VLAN
- Implementing firewall policies for added protection.
For detailed information on the vulnerabilities, refer to the official HPE security advisory.
