Executive Summary:
On April 30, 2024, Aruba Networking disclosed ten vulnerabilities in its ArubaOS operating system, including four critical unauthenticated buffer overflow bugs that could lead to remote code execution (RCE).
Affected Products: Vulnerabilities specifically affect Aruba’s network controller and gateway products, including Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed through Aruba Central.
Impact: Successful exploitation could allow threat actors to execute arbitrary code with elevated privileges on affected systems, which could potentially lead to network recon and lateral movement.
Patch Availability: Patches are available for affected customers in ArubaOS versions 10.6.0.0, 10.5.1.1, 10.4.1.1, 8.11.2.2, 8.10.0.11
Exploitation Status: Aruba Networking is not aware of any public PoC or active exploitation at the time of disclosure.
Censys’s Perspective: As of May 3, 2024, Censys observed 180+ hosts running ArubaOS, detected through an exposed SNMP service – although this is likely an underestimation of the total number exposed. Nearly half are running an EOL version.
Detection:
Censys Search query for exposed ArubaOS devices: services.software: (vendor:”Aruba Networks” and product:”ArubaOS”)
Censys ASM customers can use the following risk query to look for exposed vulnerable ArubaOS devices in their network that are detectable through an SNMP service: risks.name=”Vulnerable ArubaOS Installation [CVE-2024-26304, CVE-2024-26305, CVE-2024-33511]”. Relevant devices will be associated with your organization’s ASM workspace within approximately 24 hours.
Background
On April 30, 2024, Aruba Networking, a subsidiary of Hewlett Packard Enterprise (HPE), disclosed ten vulnerabilities were disclosed in its ArubaOS operating system, four of which are critical unauthenticated buffer overflow bugs that could lead to remote code execution (RCE): CVE-2024-26305, CVE-2024-26304, CVE-2024-3351, and CVE-2024-33512
ArubaOS powers the various controllers, gateways, switches, and access points that make up Aruba Networking’s wired and wireless LAN infrastructure products tailored for enterprise networks, such as campus and office branches. These vulnerabilities specifically affect a few of their controller and gateway products, namely: Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed through Aruba Central.
Potential Consequences of Successful Exploitation: A threat actor could potentially exploit any of these vulnerabilities by sending a crafted HTTP packet to the UDP port (8211) used by the PAPI (Aruba’s access point management protocol). If successful, this exploitation could grant the threat actor the ability to run arbitrary code with elevated privileges on the underlying operating system on the network device.
This poses a threat to an organization’s network integrity – compromising one device could potentially lead to lateral movement and disruption of Wi-Fi services. With control over LAN devices, a threat actor could manipulate traffic, intercept sensitive data, and cause network downtime and service disruptions.
Aruba Networking has stated that they’re not aware of a public PoC or any active exploitation at this time.
Censys’s Perspective
As of Friday, May 3, 2024, Censys observed over 180 hosts running exposed ArubaOS. This is a relatively small internet footprint, but note that these numbers likely underestimate the total number exposed, since Censys only observes ArubaOS devices that are exposing an SNMP service, specifically those using SNMP v1 or v2. This is because SNMPv3 requires user authentication before accessing device information.
Just under half are hosted in Hungary, in a network called DRAVANET-AS.
Map of Censys-Visible Hosts Exposing ArubaOS Through an SNMP Service on the Public Internet as of May 3, 2024
| Country |
Host Count |
Percentage |
| Hungary |
94 |
49.74% |
| United States |
13 |
6.88% |
| Romania |
12 |
6.35% |
| Spain |
10 |
5.29% |
| Taiwan |
8 |
4.23% |
Top 5 Countries with Hosts Exposing ArubaOS
Of all exposed hosts, we observed 1 service showing indications of being patched. 89, or nearly half, appear to be running version 8.9.0.2, an EOL version that’s potentially vulnerable to this exploit.
Recommendations for Remediation
Patches are available for customers running the following versions, and can be downloaded from the HPE Networking Support Portal.
| Vulnerable Software Versions |
Patch |
| 10.5.x.x (10.5.1.0 and below) |
10.5.x.x: 10.5.1.1 and above |
| 10.4.x.x (10.4.1.0 and below) |
10.4.x.x: 10.4.1.1 and above |
| 8.11.x.x (8.11.2.1 and below) |
8.11.x.x: 8.11.2.2 and above |
| 8.10.x.x (8.10.0.10 and below) |
8.10.x.x: 8.10.0.11 and above |
These ArubaOS and SD-WAN software versions are End of Life (EOL) and will not be patched:
- ArubaOS 10.3.x.x
- ArubaOS 8.9.x.x
- ArubaOS 8.8.x.x
- ArubaOS 8.7.x.x
- ArubaOS 8.6.x.x
- ArubaOS 6.5.4.x
- SD-WAN 8.7.0.0-2.3.0.x
- SD-WAN 8.6.0.4-2.2.x.x
It’s also recommended to enable PAPI Enhanced Security: https://www.arubanetworks.com/techdocs/ArubaOS_74_Web_Help/Content/mas_guides/system_overview/PAPI_Enhanced_Security.htm
References:
