HPE unveils a critical security bug affecting network access points

By James On Nov 8, 2024

HPE releases patch for six serious security issues
The bugs affected multiple products and could be used in destructive cyber attacks
Patching is advised, but solutions are available

Two critical security bugs have been found affecting Hewlett Packard Enterprise (HPE) endpoints, the company has confirmed, issuing a patch and follow-up security advisory.

According to the bulletin, multiple Aruba Networking Access Points (AP), powered by the Instant AOS-8 and AOS-10 operating systems, were vulnerable to a total of six flaws, allowing criminals to conduct authentic remote attacks and carry out arbitrary attacks. files, perform unauthenticated command injection and more.

Of the six, two were particularly dangerous: CVE-2024-42509 and CVE-2024-47460. These were assigned severity scores of 9.8 and 9.0 and could have been exploited by sending specially crafted packets to Aruba’s Access Point Management Protocol (PAPI).

End of life

The remaining four vulnerabilities are tracked as CVE-2024-47461, CVE-2024-47462, CVE-2024-47463, and CVE-2024-47464.

They all bully AOS-10.4.xx: 10.4.1.4 and older releases, Instant AOS-8.12.xx: 8.12.0.2 and lower, and Instant AOS-8.10.xx: 8.10.0.13 and older versions.

If your product is older and not one of those listed here, it has likely reached end-of-life status and will therefore no longer be patched. In such cases, HPE recommends that users replace the instance with a newer model that is still supported.

Those still supported by HPE should update their access points to these versions:

AOS-10.7.xx: Update to version 10.7.0.0 and higher.
AOS-10.4.xx: Update to version 10.4.1.5 or later.
Instant AOS-8.12.xx: Update to version 8.12.0.3 or newer.
Instant AOS-8.10.xx: Update to version 8.10.0.14 or later

There are also workarounds for those who cannot immediately install the patch, including blocking access to UDP port 8211 from all untrusted networks, restricting access to the CLI and web-based management interfaces, and controlling access with firewall policies at layer 3 and above.

At the time of writing, there was no evidence of abuse in the wild.

Via BleepingComputer