HPE Aruba Networking recently addressed critical vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) in its Access Points running Instant AOS-8 and AOS-10 software. These flaws could allow unauthenticated attackers to execute arbitrary code remotely. As a temporary mitigation, enabling “cluster-security” is recommended for Instant AOS-8.x devices, while questions arise about its impact on performance and configuration requirements.
Critical Vulnerabilities Impact
The critical vulnerabilities (CVE-2024-42505, CVE-2024-42506, CVE-2024-42507) discovered in Aruba Access Points have a severity score of 9.8/10, indicating their high risk. These flaws can be exploited by sending specially crafted packets to the PAPI UDP port (8211), allowing unauthenticated attackers to execute arbitrary code with privileged access. While no active exploitation has been reported, the potential impact is severe, potentially leading to complete device compromise and network-wide attacks.
Affected Aruba Devices
The vulnerabilities affect specific versions of Aruba Access Points running Instant AOS-8 and AOS-10 software:
- AOS-10.6.x.x: 10.6.0.2 and below
- AOS-10.4.x.x: 10.4.1.3 and below
- Instant AOS-8.12.x.x: 8.12.0.1 and below
- Instant AOS-8.10.x.x: 8.10.0.13 and below
Notably, Aruba IAP 303 devices are potentially impacted, depending on their software version. Other Aruba products, including Mobility Conductors, Mobility Controllers, and SD-WAN Gateways, are not affected by these vulnerabilities.
Mitigation and Workarounds
To mitigate the critical vulnerabilities, HPE Aruba recommends upgrading to the latest patched versions: AOS-10.7.0.0, AOS-10.6.0.3, AOS-10.4.1.4, Instant AOS-8.12.0.2, or Instant AOS-8.10.0.14. For devices that cannot be immediately updated, temporary workarounds are available. Instant AOS-8.x users should enable “cluster-security” to prevent exploitation attempts, while AOS-10 users are advised to block UDP port 8211 from all untrusted networks. These measures can help protect vulnerable devices until a permanent fix can be applied.
Cluster-Security Configuration Steps
To enable “cluster-security” on Aruba Access Points running InstantOS (AOS-8.x), follow these steps:
- Log into the Access Point’s CLI with admin privileges
- Execute the command “cluster-security” to enable the feature
- Verify activation with “show cluster-security”
- Optionally, configure additional settings like passphrase, encryption algorithm, and communication port
- Save changes with “commit apply”
These steps enhance security for inter-AP communication within the cluster, helping mitigate the reported vulnerabilities. However, updating to the latest firmware version remains the recommended long-term solution for addressing these security issues.