HPE Aruba Networking, ArubaOS’unun çeşitli sürümlerini etkileyen kritik RCE açıkların için güncelleme yayınladı.
Etkilenen ürünler aşağıdaki gibi:
- HPE Aruba Networking Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.
- ArubaOS 10.5.1.0 and below, 10.4.1.0 and older, 8.11.2.1 and below, and 8.10.0.10 and older.
- All versions of ArubaOS and SD-WAN that have reached EoL. This includes ArubaOS below 10.3, 8.9, 8.8, 8.7, 8.6, 6.5.4, and SD-WAN 2.3.0 through 8.7.0.0 and 2.2 through 8.6.0
Zafiyetler:
- CVE-2024-26305 – Flaw in ArubaOS’s Utility daemon allowing an unauthenticated attacker to execute arbitrary code remotely by sending specially crafted packets to the PAPI (Aruba’s access point management protocol) UDP port (8211).
- CVE-2024-26304 – Flaw in the L2/L3 Management service, permitting unauthenticated remote code execution through crafted packets sent to the PAPI UDP port.
- CVE-2024-33511 – Vulnerability in the Automatic Reporting service that can be exploited by sending specially crafted packets to the PAPI protocol port to allow unauthenticated attackers to execute arbitrary code remotely.
- CVE-2024-33512 – Flaw allowing unauthenticated remote attackers to execute code by exploiting a buffer overflow in the Local User Authentication Database service accessed via the PAPI protocol.
Zafiyetin giderildiği sürümler:
- ArubaOS 10.6.0.0 and above
- ArubaOS 10.5.1.1 and above
- ArubaOS 10.4.1.1 and above
- ArubaOS 8.11.2.2 and above
- ArubaOS 8.10.0.11 and above
