The Register: HPE patches three critical flaws in Aruba proprietary access protocol Interface

Source URL: https://www.theregister.com/2024/09/26/hpe_aruba_patch_papi/
Source: The Register
Title: HPE patches three critical flaws in Aruba proprietary access protocol Interface

Feedly Summary: More 9.8 bugs? Ai PAPI!
Aruba access points running AOS-8 and AOS-10 need to be patched urgently after HPE issued emergency fixes for three critical flaws in its networking subsidiary’s networking access points.…

AI Summary and Description: Yes

Summary: The text discusses critical vulnerabilities identified in Aruba’s AOS networking access points, urging urgent patches due to their severe security implications. It highlights the potential for attackers to gain privileged access through carefully crafted packets, posing significant risks to infrastructure, particularly for users like the US military.

Detailed Description:
– **Vulnerabilities Identified**: Three critical flaws (CVE-2024-42505, CVE-2024-42506, CVE-2024-42507) were discovered in Aruba’s AOS-8 and AOS-10 access points. All three vulnerabilities have a high severity rating of 9.8 on the CVSS scale.
– **Impact**: Exploitation of these vulnerabilities could allow attackers to run arbitrary code on devices by sending malicious packets to UDP port 8211, thereby gaining privileged access to affected systems.
– **Affected Versions**: Specific versions impacted include AOS 10.6.x.x (up to and including 10.6.0.2) and Instant AOS 8.12.x.x (8.12.0.1 and earlier).
– **Security Measures**: HPE advises users to enable cluster security for Instant AOS-8.x devices, while for AOS-10 devices, it is critical to block access to UDP port 8211 from any untrusted networks.
– **Historical Context**: This is not the first instance of vulnerabilities with PAPI, as another set of critical flaws was addressed earlier in the year, indicating ongoing security challenges.
– **Significance for Military Systems**: The urgency of these patches is amplified for sysadmins in military settings, particularly since Aruba has established itself as a key supplier to the Pentagon.
– **Discoverer Recognition**: The vulnerabilities were reported by Erik de Jong, a security officer and part-time flaw finder, reflecting the importance of community engagement in security practices.

Overall, these vulnerabilities emphasize the need for continuous monitoring and rapid response in security practices in organizational infrastructures, particularly in high-stakes environments like military operations. The recognition of the discoverer also highlights the role of professional communities and bounty programs in enhancing security posture.