Security updates: Attackers can compromise WLAN gateways from Aruba
Important patches close several vulnerabilities in Aruba's Mobility Conductor, Mobility Controllers, WLAN Gateways and SD-WAN Gateways.
Vulnerabilities threaten appliances.
(Bild: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Network admins should update the ArubaOS network operating system to the latest version to prevent attacks. Among other things, security updates close three"critical" security gaps. The vulnerabilities also affect versions that are no longer in support. Devices equipped with these remain vulnerable. According to Aruba, there are currently no indications of attacks.
Malicious code gaps
According to a warning message, the products Mobility Conductor, Mobility Controllers, WLAN Gateways and SD-WAN Gateways are specifically at risk. The critical vulnerabilities (CVE-2024-26304, CVE-2024-33511, CVE-2024-33512) are located in the access point management protocol PAPAI. Remote attackers should be able to use special requests on the UDP port without authentication.
If this works, memory errors (buffer overflow) occur and attackers can execute malicious code in the underlying system. This usually leads to the complete compromise of devices.
The remaining vulnerabilities are classified as"medium" threat level. DoS attacks can occur at these points to paralyze devices.
Aruba states that it has resolved the security issues from the following versions onwards:
- ArubaOS 8.10.x.x: 8.10.0.11
- ArubaOS 8.11.x.x: 8.11.2.2
- ArubaOS 10.4.x.x: 10.4.1.1
- ArubaOS 10.5.x.x: 10.5.1.1
- ArubaOS 10.6.x.x: 10.6.0.0
Aruba expressly points out that the following versions are also vulnerable. However, support for these has expired and there are no more security updates. In this case, admins should upgrade as soon as possible.
ArubaOS 6.5.4.x
ArubaOS 8.6.x.x
ArubaOS 8.7.x.x
ArubaOS 8.8.x.x
ArubaOS 8.9.x.x
ArubaOS 10.3.x.x
SD-WAN 8.6.0.4-2.2.x.x
SD-WAN 8.7.0.0-2.3.0.x
(des)
