HPE Aruba Networking (formerly Aruba Networks) has released security updates to address critical flaws impacting ArubaOS that could result in remote code execution (RCE) on affected systems.

---

A. Nature of the Vulnerabilities

CVE-2024-26304 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol

CVE-2024-26305 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol

CVE-2024-33511 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol

CVE-2024-33512 (CVSS score: 9.8) – Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol

---

B. Affected Versions

The vulnerabilities, which impact Mobility Conductor (formerly Mobility Master), Mobility Controllers, and WLAN Gateways and SD-WAN Gateways managed by Aruba Central, are present in the following software versions –

• ArubaOS 10.5.1.0 and below
• ArubaOS 10.4.1.0 and below
• ArubaOS 8.11.2.1 and below
• ArubaOS 8.10.0.10 and below

They also impact the ArubaOS and SD-WAN software versions that have reached end of maintenance status –

• ArubaOS 10.3.x.x
• ArubaOS 8.9.x.x
• ArubaOS 8.8.x.x
• ArubaOS 8.7.x.x
• ArubaOS 8.6.x.x
• ArubaOS 6.5.4.x
• SD-WAN 8.7.0.0-2.3.0.x
• SD-WAN 8.6.0.4-2.2.x.x

---

C. Actions to be Taken

CERT-PH recommends the following actions be taken:

• Kindly review and apply the necessary updates/workaround to mitigate future threats.
• Make sure to install security software and keep it updated to the latest version.
• Security administrators may review the TTPs(Tactics, Techniques, and Procedures) and IOCs(Indicators of Compromise) on the monitored malicious campaign for detection and prevention.
• For additional information, kindly refer to the official report:
  • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-004.txt