On 24 September 2024, Hewlett Packard Enterprise (HPE), the parent company of Aruba Networks, released a security bulletin addressing three critical command injection vulnerabilities affecting Aruba Networking Access Points. These vulnerabilities, identified as CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507, could allow remote unauthenticated attackers to execute code with privileged access. Exploitation is possible by sending specially crafted packets to the PAPI (Aruba’s Access Point management protocol) UDP port (8211), potentially leading to Remote Code Execution (RCE).
Arctic Wolf has not observed any exploitation of these vulnerabilities in the wild and has not identified any publicly available proof of concept (PoC) exploit code. Although Aruba Network access points have not previously been reported as exploited in the wild, they are an attractive target for threat actors due to the potential access these vulnerabilities could provide through privileged user RCE. Additionally, threat actors may attempt to reverse-engineer the patches to exploit unpatched systems in the near future.
Recommendation
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Aruba Access Points |
|
|
|
|
Please follow your organsation’s patching and testing guidelines to minimse potential operational impact.
Workaround(s)
For users unable to apply the patch, HPE has offered the following workarounds:
- For devices running Instant AOS-8.x: Enabling cluster-security by using the cluster-security command will prevent these vulnerabilities from being exploited.
- For devices running AOS-10: Since cluster-security is not available, block access to UDP port 8211 from all untrusted networks to prevent exploitation.
References
