Attackers can attack Aruba access points and push malicious code onto devices. Three gaps are considered “critical“. In total, the developers have closed thirteen vulnerabilities.
Advertisement
Patch now!
In a warning message, Aruba emphasizesthat only access points with ArubaOS 10 and InstantOS are affected. Mobility Conductors, Mobility Controllers and Access Points managed via Mobility Controllers and SD-WAN Gateways are not affected. Instand On is also not affected.
To secure access points, admins must ArubaOS 10.4.0.3 or 10.5.0.1 or InstantOS 8.6.0.23, 8.10.0.9 or 8.11.2.0 to install. The gaps also threaten older versions, for which there are no longer any security updates. Upgrades are needed here. According to Aruba, there is currently no information about ongoing attacks.
The gaps
Three are considered particularly dangerous “critical” Vulnerabilities (CVE-2023-45614, CVE-2023-45615, CVE-2023-45616). At these points, remote attackers without authentication can, among other things, attack the CLI service with crafted packages and execute their own code at the system level as a privileged user.
In other cases, data can be deleted from the system. This is about the AirWave client (CVE-2023-45618 “high“) possible. This can endanger the integrity of an access point. What an attack might look like is still unclear. DoS attacks are also conceivable. The CLI service is also vulnerable to this. No authentication is necessary here either.
Aruba recently made headlines when high-risk security holes in controllers and gateways were closed.
(of)