Security updates for the ArubaOS firmware of the devices from the HPE subsidiary improve vulnerabilities that attackers can use to smuggle in malicious code from the network. IT managers should download and apply the updates quickly.
Advertisement
Aruba seals a total of nine security gaps, one of which just barely misses the “critical” risk rating. The manufacturer considers four of the gaps to be a high risk and five to be a medium one.
ArubaOS: A near-critical vulnerability
A vulnerability in the ArubaOS web-based management interface allows unauthenticated attackers to perform a Stored Cross-Site Scripting (XSS) attack against users of the web interface. This allows them to run arbitrary script code in a victim’s browser in context after a successful attack (CVE-2023-35971, CVSS 8.8risk “high“). Registered users can also remotely inject commands into the web interface, which are executed as privileged users in the underlying operating system (CVE-2023-35972, CVSS 7.2, high).
Two similar vulnerabilities can also be found in the ArubaOS command line interface (CVE-2023-35973, CVE-2023-35974, both CVSS 7.2, high). Are affected Aruba Security Advisory According to HPE Aruba Mobility Conductor (formerly known as Mobility Master), mobility controllers and WLAN and SD-WAN gateways that IT managers manage with Aruba Central.
The software versions are vulnerable up to and including ArubaOS 10.4.0.1, 8.11.1.0, 8.10.0.6 and 8.6.0.20. Some of the vulnerabilities affect ArubaOS 8.9.xx, 8.8.xx, 8.7.xx, 6.5.4.x, SD-WAN 8.7.0.0-2.3.0.x and 8.6.0.4-2.2.xx – these are at the end of support arrived and therefore no longer receive updates that would close the security holes. Only the software versions ArubaOS 10.4.0.2, 8.11.1.1, 8.10.0.7 and 8.6.0.21 and newer are available to close the leaks.
In May, the HPE subsidiary released updates for the access points. They have closed critical security gaps that attackers could have used to take over the access points.
Advertisement
(dmk)