Aruba Networks revealed a safety advisory to tell clients about six critical-severity vulnerabilities impacting a number of variations of ArubaOS, its proprietary community working system.

The failings influence Aruba Mobility Conductor, Aruba Mobility Controllers, and Aruba-managed WLAN Gateways and SD-WAN Gateways.

Aruba Networks is a California-based subsidiary of Hewlett Packard Enterprise, specializing in laptop networking and wi-fi connectivity options.

The crucial flaws addressed by Aruba this time could be separated into two classes: command injection flaws and stack-based buffer overflow issues within the PAPI protocol (Aruba Networks entry level administration protocol).

All flaws have been found by safety analyst Erik de Jong, who reported them to the seller by way of the official bug bounty program.

The command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750, with a CVSS v3 ranking of 9.8 out of 10.0.

An unauthenticated, distant attacker can leverage them by sending specifically crafted packets to the PAPI over UDP port 8211, leading to arbitrary code execution as a privileged consumer on ArubaOS.

The stack-based buffer overflow bugs are tracked as CVE-2023-22751 and CVE-2023-22752, and now have a CVSS v3 ranking of 9.8.

These flaws are exploitable by sending specifically crafted packets to the PAPI over UDP port 8211, permitting unauthenticated, distant attackers to run arbitrary code as privileged customers on ArubaOS.

The impacted variations are:

• ArubaOS 8.6.0.19 and under
• ArubaOS 8.10.0.4 and under
• ArubaOS 10.3.1.0 and under
• SD-WAN 8.7.0.0-2.3.0.8 and under

The goal improve variations, in line with Aruba, needs to be:

• ArubaOS 8.10.0.5 and above
• ArubaOS 8.11.0.0 and above
• ArubaOS 10.3.1.1 and above
• SD-WAN 8.7.0.0-2.3.0.9 and above

Sadly, a number of product variations which have reached Finish of Life (EoL) are additionally affected by these vulnerabilities and won’t obtain a fixing replace. These are:

• ArubaOS 6.5.4.x
• ArubaOS 8.7.x.x
• ArubaOS 8.8.x.x
• ArubaOS 8.9.x.x
• SD-WAN 8.6.0.4-2.2.x.x

A workaround for system directors who can not apply the safety updates or are utilizing EoL units is to allow the “Enhanced PAPI Safety” mode utilizing a non-default key. 

Nevertheless, making use of the mitigations doesn’t deal with one other 15 high-severity and eight medium-severity vulnerabilities listed in Aruba’s safety advisory, that are fastened by the brand new variations.

Aruba states that it’s unaware of any public dialogue, exploit code, or energetic exploitation of those vulnerabilities as of the discharge date of the advisory, February 28, 2022.