Tech News

HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

By admin 3 Min Read

HPE Aruba Networking has issued its April 2024 security advisory detailing critical remote code execution (RCE) vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.

The advisory lists ten vulnerabilities, four of which are critical-severity (CVSS v3.1: 9.8) unauthenticated buffer overflow problems that can lead to remote code execution (RCE).

Products impacted by the newly disclosed flaws are:

  • HPE Aruba Networking Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.
  • ArubaOS 10.5.1.0 and below, 10.4.1.0 and older, 8.11.2.1 and below, and 8.10.0.10 and older.
  • All versions of ArubaOS and SD-WAN that have reached EoL. This includes ArubaOS below 10.3, 8.9, 8.8, 8.7, 8.6, 6.5.4, and SD-WAN 2.3.0 through 8.7.0.0 and 2.2 through 8.6.0.4.

The four critical remote code execution flaws are: 

  • CVE-2024-26305 – Flaw in ArubaOS’s Utility daemon allowing an unauthenticated attacker to execute arbitrary code remotely by sending specially crafted packets to the PAPI (Aruba’s access point management protocol) UDP port (8211).
  • CVE-2024-26304 – Flaw in the L2/L3 Management service, permitting unauthenticated remote code execution through crafted packets sent to the PAPI UDP port.
  • CVE-2024-33511 – Vulnerability in the Automatic Reporting service that can be exploited by sending specially crafted packets to the PAPI protocol port to allow unauthenticated attackers to execute arbitrary code remotely.
  • CVE-2024-33512 – Flaw allowing unauthenticated remote attackers to execute code by exploiting a buffer overflow in the Local User Authentication Database service accessed via the PAPI protocol.

To mitigate the flaws the vendor recommends enabling Enhanced PAPI Security and upgrading to patched versions for ArubaOS.

The latest versions also address another six vulnerabilities, all rated “medium” in severity (CVSS v3.1: 5.3 – 5.9) which could allow unauthenticated attackers to create denial of service on vulnerable devices and cause costly operational disruptions.

The target upgrade versions that address all ten flaws are:

  • ArubaOS 10.6.0.0 and above 
  • ArubaOS 10.5.1.1 and above 
  • ArubaOS 10.4.1.1 and above 
  • ArubaOS 8.11.2.2 and above 
  • ArubaOS 8.10.0.11 and above 

At this time, HPE Aruba Networking is not aware of any cases of active exploitation or the existence of proof-of-concept (PoC) exploits for the mentioned vulnerabilities.

Still, system administrators are recommended to apply the available security updates as soon as possible.

You Might Also Like

Changing Ends Season 3 Review: Forget Alan Carr’s The Traitors Success

1,139 HP: The New Porsche Cayenne Electric is a Monster

Former Revolut executives raise €30M to bring blockchain-based banking app Deblock to Ireland

Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)

What caused the global Cloudflare outage?

TAGGED: , , , ,
Share This Article
Previous Article Deion Sanders, Shedeur Sanders respond to Colorado critics
Next Article Stability AI Stable Assistant Beta chatbot released
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

- Advertisement -

Latest News

RiNo apartment building asks judge to evict rooftop cocktail lounge
Business
Changing Ends Season 3 Review: Forget Alan Carr’s The Traitors Success
Tech News
South Africa deploys 3,500 police and braces for protests ahead of G20 summit
World News
Best 5 crypto presales predicted to lead the next altcoin season
Crypto
S.T.A.L.K.E.R. 2: Heart of Chornobyl on PS5 – 15 Key Details
Gaming News
Nvidia's Jensen Huang needs investors to party like it’s not 1999
Business
Bitfury Says Goodbye To Mining, Hello To A $1 Billion Tech Fund
Crypto
Lost your password?