Critical Vulnerabilities in Aruba Access Points

Critical Vulnerabilities in Aruba Access Points

Aruba has released security patches to address critical vulnerabilities (CVE-2023-22779, CVE-2023-22780, CVE-2023-22781, CVE-2023-22782, CVE-2023-22783, CVE-2023-22784, CVE-2023-22785 and CVE-2023-22786) in Aruba access points running InstantOS and ArubaOS 10.

Successful exploitation of the buffer overflow vulnerabilities in the PAPI (Aruba Networks’ access point management protocol) could allow an unauthenticated remote attacker to execute arbitrary code as a privileged user on the underlying OS. This is done by sending a specially crafted packet to the PAPI over User Datagram Protocol (UDP) port 8211.The vulnerability affects the following versions (including a few that have reached End of Life (EoL)):

• ArubaOS 10.3.1.0 and below

• InstantOS 8.10.0.4 and below

• InstantOS 8.6.0.19 and below

• InstantOS 6.5.4.23 and below

• InstantOS 6.4.4.8-4.2.4.20 and below

• InstantOS 8.9.x (EoL)

• InstantOS 8.8.x (EoL)

• InstantOS 8.7.x (EoL)

• InstantOS 8.5.x (EoL)

• InstantOS 8.4.x (EoL)

Security patches addressing the critical vulnerabilities have been released in the following versions:

• ArubaOS 10.4.0.0 and above

• Aruba InstantOS 8.11.0.0 and above

• Aruba InstantOS 8.10.0.3 and above

Users and administrators of affected product versions are advised to upgrade to the latest versions immediately. 

Users and administrators of vulnerable products that are not listed above or have reached EoL, are advised to apply the following workaround:

• Enable "cluster-security" for Aruba InstantOS devices running 8.x or 6.x code

• Block access to port UDP/8211 from all untrusted networks for ArubaOS 10 devices

More information is available here:

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt