Aruba Networks fixes 6 critical vulnerabilities in ArubaOS
March 2, 2023
Aruba Networks fixes 6 critical vulnerabilities in ArubaOS
Aruba Networks issued a security advisory regarding six critical-severity vulnerabilities affecting multiple versions of ArubaOS, its proprietary network operating system.
Aruba’s critical vulnerabilities are divided into two categories: command injection vulnerabilities and stack-based buffer vulnerabilities in the PAPI protocol (Aruba Networks access point management protocol).
The Critical Vulnerabilities
- CVE-2023-22747 (CVSS V3.1 score: 9.8)
- CVE-2023-22748 (CVSS V3.1 score: 9.8)
- CVE-2023-22749 (CVSS V3.1 score: 9.8)
- CVE-2023-22750 (CVSS V3.1 score: 9.8)
- CVE-2023-22751 (CVSS V3.1 score: 9.8)
- CVE-2023-22752 (CVSS V3.1 score: 9.8)
Unauthenticated remote threat actors can exploit these vulnerabilities by sending specially crafted packets to the PAPI via UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS.
Vulnerable Products
- ArubaOS 8.6.0.19 and below.
- ArubaOS 8.10.0.4 and below.
- ArubaOS 10.3.1.0 and below.
- SD-WAN 8.7.0.0-2.3.0.8 and below.
Mitigation
CYREBRO recommends updating relevant products to the latest available releases in accordance with Aruba’s Advisory.
References: Aruba’s Advisory