Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Patches

HPE patches three critical security holes in Aruba PAPI

More 9.8 bugs? Ay, papi!

Iain Thomson Thu 26 Sep 2024  //  19:30 UTC

Aruba access points running AOS-8 and AOS-10 need to be patched urgently after HPE emitted fixes for three critical flaws in its networking subsidiary's networking access points.

The issues would allow an unauthenticated attacker to run code on Aruba's systems by sending carefully crafted packets to UDP port 8211, the operating system's Proprietary Access Protocol Interface (PAPI), which would provide that miscreant privileged access to the equipment.

The three vulnerabilities - CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507 - are all rated 9.8 out of 10 on the CVSS severity scale.

The flaws affect versions of AOS 10.6.x.x (up to and including 10.6.0.2), as well as Instant AOS 8.12.x.x (8.12.0.1 and earlier versions). HPE is also warning that end-of-life code, including AOS 10.5 and 10.3, and Instant AOS-8.11 - as well as earlier incarnations - and the advice is to upgrade these systems to get protection.

"Enabling cluster-security via the cluster-security command will prevent these vulnerabilities from being exploited in devices running Instant AOS-8.x code," HPE advised in its security alert. "For AOS-10 devices this is not an option and instead access to UDP port 8211 must be blocked from all untrusted networks."

It's not the first time PAPI has been shown to have serious problems this year. Back in May, four critical flaws in the system were fixed by Aruba after proof of concept exploit code was released, and then issued more patches less than a week later.

These patches will be of particular concern to sysadmins within the US military. Back in 2020, Aruba scored a major win by becoming the preferred supplier to the Pentagon after the military fell out with Cisco and started replacing its kit.

HPE credited the flaws' discovery to Erik de Jong, a part-time flaw finder whose day job is as a security officer for the Netherlands telco DELTA Fiber. The vulnerabilities were submitted via Bugcrowd, and he has credited his hobby to paying a chunk off his mortgage.

At the time of publication, HPE said that it had seen no evidence that the issues are being exploited in the wild. However, now that patches are out, and given their seriousness, that's likely to change. ®
Send us news
1 Comment

After China's Salt Typhoon, the reconstruction starts now

If 40 years of faulty building gets blown down, don’t rebuild with the rubble

GoDaddy slapped with wet lettuce for years of lax security and 'several major breaches'

Watchdog alleged it had no SIEM or MFA, orders rapid adoption of basic infosec tools

Biden signs sweeping cybersecurity order, just in time for Trump to gut it

Ransomware, AI, secure software, digital IDs – there's something for everyone in the presidential directive

Microsoft eggheads say AI can never be made secure – after testing Redmond's own products

If you want a picture of the future, imagine your infosec team stamping on software forever

Look for the label: White House rolls out 'Cyber Trust Mark' for smart devices

Beware the IoT that doesn’t get a security tag

FCC to telcos: By law you must secure your networks from foreign spies. Get on it

Plus: Uncle Sam is cross with this one Chinese biz over Salt Typhoon mega-snooping

CISA: Wow, that election had a lot of foreign trolling. Trump's Homeland Sec pick: And that's none of your concern

Cyber agency too 'far off mission,' says incoming boss Kristi Noem

Miscreants 'mass exploited' Fortinet firewalls, 'highly probable' zero-day used

Ransomware 'not off the table,' Arctic Wolf threat hunter tells El Reg

Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days

'Codefinger' crims on the hunt for compromised keys

Mitel 0-day, 5-year-old Oracle RCE bug under active exploit

3 CVEs added to CISA's catalog

Database tables of student, teacher info stolen from PowerSchool in cyberattack

Class act: Cloud biz only serves 60M-plus folks globally, no biggie

OpenAI's ChatGPT crawler can be tricked into DDoSing sites, answering your queries

The S in LLM stands for Security