March 2, 2023

Aruba Networks fixes 6 critical vulnerabilities in ArubaOS

Aruba Networks issued a security advisory regarding six critical-severity vulnerabilities affecting multiple versions of ArubaOS, its proprietary network operating system.

Aruba’s critical vulnerabilities are divided into two categories: command injection vulnerabilities and stack-based buffer vulnerabilities in the PAPI protocol (Aruba Networks access point management protocol).

The Critical Vulnerabilities

• CVE-2023-22747 (CVSS V3.1 score: 9.8)
• CVE-2023-22748 (CVSS V3.1 score: 9.8)
• CVE-2023-22749 (CVSS V3.1 score: 9.8)
• CVE-2023-22750 (CVSS V3.1 score: 9.8)
• CVE-2023-22751 (CVSS V3.1 score: 9.8)
• CVE-2023-22752 (CVSS V3.1 score: 9.8)

Unauthenticated remote threat actors can exploit these vulnerabilities by sending specially crafted packets to the PAPI via UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS.

Vulnerable Products

• ArubaOS 8.6.0.19 and below.
• ArubaOS 8.10.0.4 and below.
• ArubaOS 10.3.1.0 and below.
• SD-WAN 8.7.0.0-2.3.0.8 and below.

Mitigation

CYREBRO recommends updating relevant products to the latest available releases in accordance with Aruba’s Advisory.

References: Aruba’s Advisory