March 2, 2023
Aruba Networks fixes 6 critical vulnerabilities in ArubaOS
Aruba Networks issued a security advisory regarding six critical-severity vulnerabilities affecting multiple versions of ArubaOS, its proprietary network operating system.
Aruba’s critical vulnerabilities are divided into two categories: command injection vulnerabilities and stack-based buffer vulnerabilities in the PAPI protocol (Aruba Networks access point management protocol).
The Critical Vulnerabilities
- CVE-2023-22747 (CVSS V3.1 score: 9.8)
- CVE-2023-22748 (CVSS V3.1 score: 9.8)
- CVE-2023-22749 (CVSS V3.1 score: 9.8)
- CVE-2023-22750 (CVSS V3.1 score: 9.8)
- CVE-2023-22751 (CVSS V3.1 score: 9.8)
- CVE-2023-22752 (CVSS V3.1 score: 9.8)
Unauthenticated remote threat actors can exploit these vulnerabilities by sending specially crafted packets to the PAPI via UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS.
- ArubaOS 188.8.131.52 and below.
- ArubaOS 184.108.40.206 and below.
- ArubaOS 10.3.1.0 and below.
- SD-WAN 220.127.116.11-18.104.22.168 and below.
CYREBRO recommends updating relevant products to the latest available releases in accordance with Aruba’s Advisory.
References: Aruba’s Advisory