November 7, 2024 By Bill Toulas
Hewlett Packard Enterprise (HPE) released updates for Instant AOS-8 and AOS-10 software to address two critical vulnerabilities in Aruba Networking Access Points.
The two security issues could allow a remote attacker to perform unauthenticated command injection by sending specially crafted packets to Aruba's Access Point management protocol (PAPI) over UDP port 8211.
The critical flaws are tracked as CVE-2024-42509 and CVE-2024-47460, and have been assessed with a severity score of 9.8 and 9.0, respectively. Both are in the command line interface (CLI) service, which is accessed via the PAPI protocol.
The update also fixes another four security vulnerabilities:
- CVE-2024-47461 (7.2 severity score): authenticated remote command execution that could allow an attacker to execute arbitrary commands on the underlying operating system
- CVE-2024-47462 and CVE-2024-47463 (7.2 severity score): an authenticated attacker could create arbitrary files, potentially leading to remote command execution
- CVE-2024-47464 (6.8 severity score): an authenticated attacker exploiting it could access unauthorized files via path traversal
