Aruba Networks has released patches and mitigations for 14 security vulnerabilities, three of which are rated critical.
In an advisory, Aruba said the vulnerabilities affect access points running ArubaOS 10.5 and 10.4 branches, and InstantOS 8.11, 8.10 and 8.6 branches.
The operating systems’ handling of the Process Application Programming Interface (PAPI) protocol gives rise to two vulnerabilities, CVE-2023-45614 and CVE-2023-45615 (both carrying a CVSS score of 9.8).
These are buffer overflows in the CLI that could give unauthenticated attackers remote code execution (RCE) as a privileged user, by sending crafted packets to PAPI over UDP port 8211.
CVE-2023-45616 (CVSS 9.8) is also a buffer overflow over PAPI, this time in the AirWave client service, and also gives an unauthenticated attacker RCE.
CVE-2023-45617 and CVE-2023-45618 (CVSS 8.2) are arbitrary file deletion vulnerabilities in the OS and the AirWave client.
An unauthenticated attacker can cause denial of service (DoS) by deleting operating system files.
CVE-2023-45619 (CVSS 8.2) is the same vulnerability if an access point’s received signal strength indicator (RSSI) service is accessed over PAPI.
Other CVEs applying to the PAPI protocol include two unauthenticated DoS bugs (CVE-2023-45620 and CVE-2023-45621); one DoS vulnerability if the Bluetooth low energy (BLE) daemon is accessed over PAPI (CVE-2023-45622); another DoS bug in the wi-fi uplink service over PAPI (CVE-2023-45623); in the soft AP daemon (CVE-2023-45624), authenticated RCE in the OSs’ CLI (CVE-2023-45625), a lower-rated RCE (CVE-2023-45626), and an authenticated DoS bug in the CLI (CVE-2023-45627).
Many of the vulnerabilities can be mitigated by enabling cluster security on affected InstantOS devices running 8.x or 6.x code.
This won’t work for ArubaOS 10 devices, for which access to UDP port 8211 should be blocked.