Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

HPE patches three critical security holes in Aruba PAPI

More 9.8 bugs? Ay, papi!

Iain Thomson Thu 26 Sep 2024  //  19:30 UTC

Aruba access points running AOS-8 and AOS-10 need to be patched urgently after HPE emitted fixes for three critical flaws in its networking subsidiary's networking access points.

The issues would allow an unauthenticated attacker to run code on Aruba's systems by sending carefully crafted packets to UDP port 8211, the operating system's Proprietary Access Protocol Interface (PAPI), which would provide that miscreant privileged access to the equipment.

The three vulnerabilities - CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507 - are all rated 9.8 out of 10 on the CVSS severity scale.

The flaws affect versions of AOS 10.6.x.x (up to and including 10.6.0.2), as well as Instant AOS 8.12.x.x (8.12.0.1 and earlier versions). HPE is also warning that end-of-life code, including AOS 10.5 and 10.3, and Instant AOS-8.11 - as well as earlier incarnations - and the advice is to upgrade these systems to get protection.

"Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in devices running Instant AOS-8.x code," HPE advised in its security alert. "For AOS-10 devices this is not an option and instead access to UDP port 8211 must be blocked from all untrusted networks."

It's not the first time PAPI has been shown to have serious problems this year. Back in May, four critical flaws in the system were fixed by Aruba after proof of concept exploit code was released, and then issued more patches less than a week later.

These patches will be of particular concern to sysadmins within the US military. Back in 2020, Aruba scored a major win by becoming the preferred supplier to the Pentagon after the military fell out with Cisco and started replacing its kit.

HPE credited the flaws' discovery to Erik de Jong, a part-time flaw finder whose day job is as a security officer for the Netherlands telco DELTA Fiber. The vulnerabilities were submitted via Bugcrowd, and he has credited his hobby to paying a chunk off his mortgage.

At the time of publication, HPE said that it had seen no evidence that the issues are being exploited in the wild. However, now that patches are out, and given their seriousness, that's likely to change. ®
Send us news
1 Comment

Yup, AMD's Elba and Giglio definitely sound like they work corporate security

Which is why Cisco is adding these Pensando DPUs to more switches

How nice that state-of-the-art LLMs reveal their reasoning ... for miscreants to exploit

Blueprints shared for jail-breaking models that expose their chain-of-thought process

US Cyber Command reportedly pauses cyberattacks on Russia

PLUS: Phishing suspects used fishing gear as alibi; Apple's 'Find My' can track PCs and Androids; and more

Tech jobs are now white-collar trades that need apprentices, not a career crawl

With a generation of networking engineers set to retire, is this how to give their successors a faster start?

Altnets told to stop digging and start stuffing fiber through abandoned pipes

Why churn up roads when there's thousands of miles of disused infrastructure underfoot?

Qualcomm pledges 8 years of security updates for Android kit using its chips (YMMV)

Starting with Snapdragon 8 Elite and 'droid 15

Malware variants that target operational tech systems are very rare – but 2 were found last year

Fuxnet and FrostyGoop were both used in the Russia-Ukraine war

Microsoft expands Copilot bug bounty targets, adds payouts for even moderate messes

Said bugs 'can have significant implications' – glad to hear that from Redmond

Check out this free automated tool that hunts for exposed AWS secrets in public repos

You can find out if your GitHub codebase is leaking keys ... but so can miscreants

Ivanti endpoint manager can become endpoint ravager, thanks to quartet of critical flaws

PoC exploit code shows why this is a patch priority

Drug-screening biz DISA took a year to disclose security breach affecting millions

If there's something nasty on your employment record, extortion scum could come calling

London is bottom in Europe for 5G, while Europe lags the rest of the world

Plus: Fandroid alert – Android devices sometimes say '5G' when connecting to 4G