Aruba Networks has published a security advisory warning its customers of six critical-severity vulnerabilities in its proprietary network operating system, ArubaOS.
The vulnerabilities impact Aruba Mobility Conductor, Aruba Mobility Controllers, and Aruba-managed WLAN Gateways and SD-WAN Gateways. The flaws can be classified as command injection and stack-based buffer overflow problems in the PAPI protocol.
An unauthenticated, remote attacker can exploit these vulnerabilities by sending specially crafted packets to the PAPI over UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS.
The impacted versions are ArubaOS 8.6.0.19 and below, ArubaOS 8.10.0.4 and below, ArubaOS 10.3.1.0 and below, and SD-WAN 8.7.0.0-2.3.0.8 and below.
Aruba advises its customers to upgrade to the target versions, which are ArubaOS 8.10.0.5 and above, ArubaOS 8.11.0.0 and above, ArubaOS 10.3.1.1 and above, and SD-WAN 8.7.0.0-2.3.0.9 and above.
However, several product versions that have reached End of Life (EoL) are also affected by these vulnerabilities and will not receive a fixing update. Aruba recommends a workaround for system administrators who cannot apply the security updates or are using EoL devices by enabling the “Enhanced PAPI Security” mode using a non-default key.
Aruba’s security advisory lists 15 high-severity and eight medium-severity vulnerabilities that are fixed by the new versions, but applying the mitigations does not address these.
Aruba has stated that there is no public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory, February 28, 2022.
