HPE Aruba Networking Product Security Advisory =============================== Advisory ID: HPESBNW04678 CVE: CVE-2023-48795, CVE-2023-51385, CVE-2024-42393, CVE-2024-42394, CVE-2024-42395, CVE-2024-42396, CVE-2024-42397, CVE-2024-42398, CVE-2024-42399, CVE-2024-42400 Publication Date: 2024-Aug-06 Last Updated: 2025-Mar-14 Status: Confirmed Severity: Critical Revision: 3 Title ===== HPE Aruba Networking Access Points Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released patches for Aruba Access Points running AOS-8 Instant and AOS-10 AP that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Aruba Access Points running AOS-8 Instant and AOS-10 AP Affected Software Version(s): - AOS-10 AP 10.6.x.x: 10.6.0.0 and below - AOS-10 AP 10.4.x.x: 10.4.1.3 and below - AOS-8 Instant 8.12.x.x: 8.12.0.1 and below - AOS-8 Instant 8.10.x.x: 8.10.0.12 and below The following software versions that are End of Maintenance are affected by these vulnerabilities and are not addressed by this advisory: - AOS-10 AP 10.5.x.x: all - AOS-10 AP 10.3.x.x: all - AOS-8 Instant 8.11.x.x: all - AOS-8 Instant 8.9.x.x: all - AOS-8 Instant 8.8.x.x: all - AOS-8 Instant 8.7.x.x: all - AOS-8 Instant 8.6.x.x: all - AOS-8 Instant 8.5.x.x: all - AOS-8 Instant 8.4.x.x: all - AOS-8 Instant 6.5.x.x: all - AOS-8 Instant 6.4.x.x: all HPE Aruba Networking strongly recommends all customers running End-of-Maintenance software to upgrade to a supported version as soon as possible. Unaffected Products =================== HPE Aruba Networking Mobility Conductor, Mobility Controllers, and SD-WAN Gateways are not affected by these vulnerabilities. HPE Networking Instant On is also not affected by these vulnerabilities. Any other supported software versions not listed under the Affected Products section of this advisory are not known to be affected by the disclosed vulnerabilities. Details ======= Unauthenticated Stack-Based Buffer Overflow Remote Command Execution (RCE) in the Soft AP Daemon Service Accessed by the PAPI Protocol (CVE-2024-42393, CVE-2024-42394) ---------------------------------------------------------------------- There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. Internal References: ATLWL-472, ATLWL-471 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: These vulnerabilities were discovered and reported by zzcentury from Ubisectech Sirius Team (https://www.ubisectech.com/) via HPE Aruba Networking's bug bounty program. Resolution: These vulnerabilities do not affect Access Points running AOS-10 AP, 10.x. To address the vulnerabilities described in this detail section, it is recommended to upgrade the Access Points to one of the following versions (as applicable): - AOS-8 Instant 8.12.x.x: 8.12.0.2 and above - AOS-8 Instant 8.10.x.x: 8.10.0.13 and above Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in AOS-8 Instant devices or InstantOS 6.x code. Unauthenticated Stack-Based Buffer Overflow Remote Command Execution (RCE) in the AP Certificate Management Service Accessed by the PAPI Protocol (CVE-2024-42395) ---------------------------------------------------------------------- There is a vulnerability in the AP Certificate Management Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise. Internal References: ATLWL-467 Severity: Critical CVSSv3.x Overall Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by zzcentury from Ubisectech Sirius Team (https://www.ubisectech.com/) via HPE Aruba Networking's bug bounty program. Resolution: This vulnerability does not affect Access Points running AOS-10 AP, 10.x. To address the vulnerability described in this detail section, it is recommended to upgrade the Access Points to one of the following versions (as applicable): - AOS-8 Instant 8.12.x.x: 8.12.0.2 and above - AOS-8 Instant 8.10.x.x: 8.10.0.13 and above Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in AOS-8 Instant devices or InstantOS 6.x code. Authenticated Remote Command Execution in the AOS-8 Instant and AOS-10 AP SSH Daemon (CVE-2023-51385) --------------------------------------------------------------------- In OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. The impact of this vulnerability on AOS-8 Instant and AOS-10 AP running on HPE Aruba Networking Access Points has not been confirmed, but the version of OpenSSH has been upgraded for mitigation. Internal Reference: ATLWL-464 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Reporter: This vulnerability was originally reported by Vinci. Further details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2023-51385 Resolution: A permanent resolution for HPE Aruba Networking Access Points running AOS-8 Instant and AOS-10 AP is still pending. This advisory will be updated as new information becomes available. For mitigation details, please refer to the workaround section below. Workaround: To mitigate this specific vulnerability, please follow the two-step procedure outlined below: (1) Upgrade the Access Point(s) to one of the following versions (as applicable): - AOS-10 AP 10.6.x.x: 10.6.0.1 and above - AOS-10 AP 10.4.x.x: 10.4.1.4 and above - AOS-8 Instant 8.12.x.x: 8.12.0.2 and above - AOS-8 Instant 8.10.x.x: 8.10.0.13 and above (2) Execute the cli command 'ssh disable-ciphers aes-cbc' Note: For AOS-10 AP or IAPs managed by HPE Aruba Networking Central, users must use an API to make configuration changes. This procedure will eliminate the conditions necessary for the attack to succeed. In addition, to minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Buffer Overflow Vulnerability Allows Arbitrary Code Execution in AOS-8 Instant or AOS-10 AP OpenSSH ("TerraPin" attack) (CVE-2023-48795) --------------------------------------------------------------------- The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. The impact of this vulnerability on HPE Aruba Networking Access Points has not been confirmed, but the version of OpenSSH in AOS-8 Instant and AOS-10 AP software has been upgraded for mitigation. Internal References: ATLWL-465 Severity: Medium CVSSv3.x Overall Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Further details can be found at: https://nvd.nist.gov/vuln/detail/CVE-2023-48795 Discovery: This vulnerability was discovered by Fabian Baeumer, Marcus Brinkmann, and Joerg Schwenk. Resolution: A permanent resolution for HPE Aruba Networking Access Points running AOS-8 Instant and AOS-10 AP is still pending. This advisory will be updated as new information becomes available. For mitigation details, please refer to the workaround section below. Workaround: To mitigate this specific vulnerability, please follow the two-step procedure outlined below: (1) Upgrade the Access Point(s) to one of the following versions (as applicable): - AOS-10 AP 10.6.x.x: 10.6.0.1 and above - AOS-10 AP 10.4.x.x: 10.4.1.4 and above - AOS-8 Instant 8.12.x.x: 8.12.0.2 and above - AOS-8 Instant 8.10.x.x: 8.10.0.13 and above (2) Execute the cli command 'ssh disable-ciphers aes-cbc' Note: For AOS-10 AP or IAPs managed by HPE Aruba Networking Central, users must use an API to make configuration changes. This procedure will eliminate the conditions required for the attack to succeed. Additionally, to minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the AP Certificate Management Service Accessed by the PAPI Protocol (CVE-2024-42396, CVE-2024-42397) ---------------------------------------------------------------------- Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the AP Certificate Management daemon accessed via the PAPI protocol. Successful exploitation of these vulnerabilities results in the ability to interrupt the normal operation of the affected Access Point. Internal References: ATLWL-470, ATLWL-468 Severity: Medium CVSSv3.x Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: These vulnerabilities were discovered and reported by zzcentury from Ubisectech Sirius Team (https://www.ubisectech.com/) via HPE Aruba Networking's bug bounty program. Resolution: These vulnerabilities do not affect Access Points running AoS-10 AP, 10.x. To address the vulnerabilities described in this detail section, it is recommended to upgrade the Access Points to one of the following versions (as applicable): - AOS-8 Instant 8.12.x.x: 8.12.0.2 and above - AOS-8 Instant 8.10.x.x: 8.10.0.13 and above Workaround: Enabling cluster-security via the cluster-security command will prevent the vulnerabilities from being exploited in AOS-8 Instant devices or InstantOS 6.x code. Unauthenticated Denial-of-Service (DoS) Vulnerabilities in the Soft AP Daemon Service Accessed by the PAPI Protocol (CVE-2024-42398, CVE-2024-42399, CVE-2024-42400) ---------------------------------------------------------------------- Multiple unauthenticated Denial-of-Service (DoS) vulnerabilities exist in the Soft AP daemon accessed via the PAPI protocol. Successful exploitation of these vulnerabilities results in the ability to interrupt the normal operation of the affected Access Point. Internal References: ATLWL-474, ATLWL-469, ATLWL-457 Severity: Medium CVSSv3.x Overall Score: 5.3 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: These vulnerabilities were discovered and reported by zzcentury from Ubisectech Sirius Team (https://www.ubisectech.com/) via HPE Aruba Networking's bug bounty program. Resolution: To address the vulnerabilities described in this detail section, it is recommended to upgrade the Access Points to one of the following versions (as applicable): - AOS-10 AP 10.6.x.x: 10.6.0.1 and above - AOS-10 AP 10.4.x.x: 10.4.1.2 and above - AOS-8 Instant 8.12.x.x: 8.12.0.2 and above - AOS-8 Instant 8.10.x.x: 8.10.0.13 and above Workaround: Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in AOS-8 Instant devices or InstantOS 6.x code. For AOS-10 AP devices this is not an option and instead access to port UDP/8211 must be blocked from all untrusted networks. Resolution ========== For the OpenSSH vulnerabilities (CVE-2023-48795 and CVE-2023-51385), please refer to the respective vulnerability blocks above for more details. For other vulnerabilities in the affected software branches, we recommend upgrading the Access Points to one of the following versions, as applicable: - AOS-10 AP 10.6.x.x: 10.6.0.1 and above - AOS-10 10.4.x.x: 10.4.1.4 and above - AOS-8 Instant 8.12.x.x: 8.12.0.2 and above - AOS-8 Instant 8.10.x.x: 8.10.0.13 and above Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal. https://networkingsupport.hpe.com/home/ HPE Aruba Networking does not evaluate or patch AOS-8 Instant and AOS-10 AP software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking products End of Life Policy visit: https://www.hpe.com/psnow/doc/a00143052enw Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking for assistance if needed. Exploitation and Public Discussion ================================== CVE-2023-48795 and CVE-2023-51385 are being widely discussed in public. HPE Aruba Networking is not aware of any active targeting of HPE Aruba Networking products. Revision History ================ Revision 1 / 2024-Aug-06 / Initial release Revision 2 / 2024-Aug-15 / Added InstantOS 8.6.x to EoM Products list. Changed workarounds to better reflect affected versions. Revision 3 / 2025-Mar-14 / Updated the Resolution and Workaround sections for the OpenSSH vulnerabilities (CVE-2023-48795 and CVE-2023-51385), as well as the general Resolution block in the security advisory. Additionally, we also updated the link to the End of Life Policy document and the rebranded name for InstantOS and ArubaOS 10.x to AOS-8 Instant to AOS-10 AP respectively. HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.