HPE Aruba warns of some high-risk security gaps in the ArubaOS operating system for switches from the company. Several are considered high risk and allow orders to be smuggled in.
Advertisement
As HPE Aruba engineers write in their security announcement, logged in users can inject commands into the ArubaOS command line interface. These are executed with elevated rights (CVE-2024-1356, CVE-2024-25611, CVE-2024-25612, CVE-2024-25613; CVSS 7.2Risk “hoch“). Registered users can also delete arbitrary files using the command line interface, thereby provoking denial-of-service situations (CVE-2024-25614, CVSS 5.5, medium).
Numerous leaks in ArubaOS
In addition, the Spectrum service, which is accessible via the PAPI protocol, can be disabled from the network without prior login (CVE-2024-25615, CVSS 5.3, medium). Sensitive information can leak during IKE_AUTH negotiation under certain circumstances and with certain unspecified ArubaOS configurations (CVE-2024-25616, CVSS 3.7, low).
Versions 10.5.1.0, 10.4.1.0, 8.11.2.1 and 8.10.0.10 and later versions correct the security-related errors. The vulnerable version branches 10.3, 8.9, 8.8, 8.7, 8.6, 6.5.4, SD-WAN 8.7.0.0-2.3.0 and 8.6.0.4-2.2 have reached end of support and will no longer receive updates.
HPE Aruba again recommends limiting access to the web-based management interface and command line interface to a dedicated Layer 2 network segment/VLAN or to trusted machines using firewall policies for Protocol Layer 3 and above. This reduces the likelihood that attackers will abuse the security gaps in the administration interface and command line interface.
Aruba had already warned about code smuggling holes in Clearpass Manager about a week ago. The developers have classified some of them as a critical risk.
(dmk)