DESCRIPTION:
ArubaOS exists six high-risk vulnerabilities: The command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750, and the stack-based buffer overflow bugs are tracked as CVE-2023-22751 and CVE-2023-22752. These flaws are exploitable by sending specially crafted packets to the PAPI over UDP port 8211, allowing unauthenticated, remote attackers to run arbitrary code as privileged users on ArubaOS.
AFFECTED RELEASES:
ArubaOS 8.6.0.19 and below
ArubaOS 8.10.0.4 and below
ArubaOS 10.3.1.0 and below
SD-WAN 8.7.0.0-2.3.0.8 and below
The following ArubaOS and SD-WAN software versions that are End of Life are affected by these vulnerabilities and are not patched by this advisory:
ArubaOS 6.5.4.x
ArubaOS 8.7.x.x
ArubaOS 8.8.x.x
ArubaOS 8.9.x.x
SD-WAN 8.6.0.4-2.2.x.x
SOLUTION:
1. Users and system administrators of affected products are advised to apply the security updates:
(1) ArubaOS 8.10.0.5 and above
(2) ArubaOS 8.11.0.0 and above
(3) ArubaOS 10.3.1.1 and above
(4) SD-WAN 8.7.0.0-2.3.0.9 and above
2. A workaround for system administrators who cannot apply the security updates or are using EoL devices is to enable the “Enhanced PAPI Security” mode using a non-default key.
REFERENCE:
1. https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt
2. https://nvd.nist.gov/vuln/detail/CVE-2023-22747
3. https://nvd.nist.gov/vuln/detail/CVE-2023-22748
4. https://nvd.nist.gov/vuln/detail/CVE-2023-22749
5. https://nvd.nist.gov/vuln/detail/CVE-2023-22750
6. https://nvd.nist.gov/vuln/detail/CVE-2023-22751
7. https://nvd.nist.gov/vuln/detail/CVE-2023-22752
8. https://www.ithome.com.tw/news/155740
9. https://www.bleepingcomputer.com/news/security/aruba-networks-fixes-six-critical-vulnerabilities-in-arubaos/