September 26, 2024 at 03:32PM
HPE has issued emergency fixes for critical flaws in Aruba access points running AOS-8 and AOS-10. These vulnerabilities, rated 9.8 on the CVSS scale, allow attackers to run code on the systems. The flaws affect specific versions of AOS, and HPE advises upgrading to protect against these vulnerabilities. The discovery was credited to Erik de Jong.
Key Takeaways from Meeting Notes:
– Urgent patching is required for Aruba access points running AOS-8 and AOS-10 due to three critical flaws identified by HPE.
– The vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) are rated 9.8 on the CVSS scale and allow attackers to run code by sending specially crafted packets to UDP port 8211.
– Affected versions include AOS 10.6.x.x (up to and including 10.6.0.2) and Instant AOS 8.12.x.x (8.12.0.1 and earlier versions).
– It was advised to enable cluster-security for devices running Instant AOS-8.x code and to block access to UDP port 8211 from untrusted networks for AOS-10 devices.
– The vulnerabilities were discovered by Erik de Jong, credited via Bugcrowd, and no evidence of exploitation in the wild has been reported by HPE.
These notes illustrate the urgency of patching the identified vulnerabilities in Aruba access points and the recommended actions to prevent exploitation. The potential impact on the US military’s systems highlights the critical nature of this issue.