- HPE releases patch for six serious security vulnerabilities
- The bugs affected multiple products, and could be used in destructive cyberattacks
- Patching is advised, but workarounds are available
Two critical security bugs were found plaguing Hewlett Packard Enterprise (HPE) endpoints, the company has confirmed, as it released a patch and follow-up security advisory.
As per the bulletin, multiple Aruba Networking Access Points (AP), powered by thee Instant AOS-8 and AOS-10 operating systems, were vulnerable to a total of six flaws, which allowed crooks to mount authenticated remote command execution attacks, create arbitrary files, perform unauthenticated command injection, and more.
Of the six, two were particularly dangerous: CVE-2024-42509, and CVE-2024-47460. These were assigned severity scores 9.8 and 9.0, and could have been abused by sending specially crafted packets to Aruba’s Access Point management protocol (PAPI).
End of life
The remaining four vulnerabilities are tracked as CVE-2024-47461, CVE-2024-47462, CVE-2024-47463, and CVE-2024-47464.
All of them plague AOS-10.4.x.x: 10.4.1.4 and older releases, Instant AOS-8.12.x.x: 8.12.0.2 and below, and Instant AOS-8.10.x.x: 8.10.0.13 and older versions.
If your product is older, and isn’t among the ones listed here, then it’s likely reached its end-of-life status and as such will not be patched. In such cases, HPE advises users to replace the instance with a newer model that is still supported.
Those who are still under HPE’s support should update their access points to these versions:
AOS-10.7.x.x: Update to version 10.7.0.0 and later.
AOS-10.4.x.x: Update to version 10.4.1.5 or later.
Instant AOS-8.12.x.x: Update to version 8.12.0.3 or newer.
Instant AOS-8.10.x.x: Update to version 8.10.0.14 or above
There are also workarounds for those who cannot install the patch immediately, which include blocking access to UDP port 8211 from all untrusted networks, restricting access to the CLI and web-based management interfaces, and controlling access with firewall policies at layer 3 and higher.
At press time, there was no evidence of in-the-wild abuse.
Via BleepingComputer
English