HPE Aruba Access Points Vulnerable to RCE

HPE Aruba Access Points Vulnerable to RCE

DOWNLOAD PDF

SUMMARY

Hewlett Packard Enterprise’s (HPE) Aruba Networking recently patched three critical vulnerabilities in its Aruba Access Points’ Command Line Interface (CLI) for those running AOS-8 and AOS-10, which could allow unauthenticated remote code execution (RCE).

 

RISK SCORE

CVE-ID                                 CVSSv3 Score

CVE-2024-42505                9.8

CVE-2024-42506                9.8

CVE-2024-42507                9.8

 

VULNERABILITY DETAILS

HPE Aruba Networking fixed three critical vulnerabilities in the CLI service of its Aruba Access Points, potentially allowing remote code execution (RCE) by unauthenticated attackers. The vulnerabilities exploit the PAPI UDP port (8211) to gain privileged access and execute arbitrary code on vulnerable devices.

 

AFFECTED PRODUCTS

  • AOS-10.6.x.x: 10.6.0.2 and below
  • AOS-10.4.x.x: 10.4.1.3 and below
  • Instant AOS-8.12.x.x: 8.12.0.1 and below
  • Instant AOS-8.10.x.x: 8.10.0.13 and below

 

The following software versions that are End of Support Life (EoSL) are affected by these vulnerabilities and were not addressed by HPE:

  • AOS-10.5.x.x: all
  • AOS-10.3.x.x: all
  • Instant AOS-8.11.x.x: all
  • Instant AOS-8.9.x.x: all
  • Instant AOS-8.8.x.x: all
  • Instant AOS-8.7.x.x: all
  • Instant AOS-8.6.x.x: all
  • Instant AOS-8.5.x.x: all
  • Instant AOS-8.4.x.x: all
  • Instant AOS-6.5.x.x: all
  • Instant AOS-6.4.x.x: all

 

 

SOLUTION

  • AOS-10.7.x.x: 10.7.0.0 and above
  • AOS-10.6.x.x: 10.6.0.3 and above
  • AOS-10.4.x.x: 10.4.1.4 and above
  • Instant AOS-8.12.x.x: 8.12.0.2 and above
  • Instant AOS-8.10.x.x: 8.10.0.14 and above
  • Customers running End of Support Life (EoSL) software to upgrade to a supported version as soon as possible.

 

RECOMMENDATIONS

  • Apply the latest security updates for affected Aruba Access Points from the HPE Networking Support Portal.
  • All devices running End of Support Life (EoSL) software must upgrade to a supported version as soon as possible.
  • For Instant AOS-8.x devices, enable “cluster-security” as a temporary workaround.
  • Block access to the PAPI UDP port (8211) from untrusted networks for AOS-10 devices.

 

REFERENCES

The Cybersecurity Startup Lessons NOBODY Tells You!

The Cybersecurity Startup Lessons NOBODY Tells You!

Dr. Mike Saylor, CEO of Blackswan Cybersecurity and a cybersecurity professor at UT San Antonio, shares his cybersecurity startup experiences with This Dot Media — from launching his first computer business to running a thriving cybersecurity firm. He talks about entrepreneurship, the hurdles involved in building and expanding a business, and the critical role of cultivating strong partnerships. Alongside Rob Ocel, Dr. Saylor discusses effective strategies for managing client relationships, navigating partner models, and balancing direct sales with collaborative partnerships.

How to Detect Ransomware — Expert Tips

How to Detect Ransomware — Expert Tips


On this episode of The Backup Wrap-up, join cybersecurity expert Dr. Mike Saylor, CEO of @BlackswanCybersecurity and Professor at UTSA, as he shares insights on ransomware detection. Learn to spot early warning signs, explore cutting-edge detection tools, and grasp the critical importance of swift response. A must-watch for IT professionals and anyone focused on protecting their data. Stay one step ahead of cyber threats – watch today!

HPE Aruba Access Points Vulnerable to RCE

Critical VMWare vCenter Server Flaw (CVE-2024-38812)

DOWNLOAD PDF

Summary

Broadcom released a critical security update for VMware vCenter Server to address a high-severity vulnerability that could allow remote code execution (RECE). In addition to this CVE-2024-38812,  another vulnerability that allows privilege escalation (CVE-2024-38813) has been patched.  vCenter Server installations must be updated to the latest versions immediately.

 

Risk Score

  CVE-ID                                 CVSSv3 Score 

CVE-2024-38812                9.8

CVE-2024-38813                7.3

 

Vulnerability Details

Broadcom issued a security patch for VMware vCenter Server to mitigate the critical vulnerability CVE-2024-38812.  This heap-overflow vulnerability in the DCE/RPC protocol potentially allows a malicious actor to exploit this flaw in low-complexity attacks that don’t require user interaction by sending specially crafted network packets, leading to remote code execution.

 

Broadcom also provided a patch for a privilege escalation vulnerability (CVE-2024-38813) with a CVSS score of 7.5, which could allow an attacker to escalate privileges to root. This flaw, along with CVE-2024-38812, was discovered by security researchers from Team TZL during the Matrix Cup cybersecurity competition in June 2024.

 

Affected Products

  • vCenter Server versions 7.0 and 8.0
  • VMware Cloud Foundation versions 4.x and 5.x

 

Solution

  • vCenter Server 8.0: Fixed in version 8.0 U3b
  • vCenter Server 7.0: Fixed in version 7.0 U3s
  • VMware Cloud Foundation 5.x: Fixed in 8.0 U3b as an asynchronous patch
  • VMware Cloud Foundation 4.x: Fixed in 7.0 U3s as an asynchronous patch

 

Recommendations

  • Update vCenter Server and VMware Cloud Foundation to the latest versions as specified above.
  • Regularly monitor systems for potential exploits and ensure that only trusted network connections are allowed to access vCenter services.
  • Strictly control network perimeter access to vSphere management components and interfaces, including storage and network components

 

References

HPE Aruba Access Points Vulnerable to RCE

Microsoft Zero-Days and Related Vulnerabilities

DOWNLOAD PDF

SUMMARY

Microsoft’s September 2024 Patch Tuesday release addresses 79 security vulnerabilities, including three actively exploited zero-day vulnerabilities and one publicly disclosed zero-day. The update also resolves 7 critical issues, involving either remote code execution (RCE) or privilege escalation.

 

The full report is here:

https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/Microsoft-Patch-Tuesday-September-2024.html

The number of bugs in each vulnerability category is listed below:

  • 30 Elevation of Privilege Vulnerabilities
  • 4 Security Feature Bypass Vulnerabilities
  • 23 Remote Code Execution Vulnerabilities
  • 11 Information Disclosure Vulnerabilities
  • 8 Denial of Service Vulnerabilities
  • 3 Spoofing Vulnerabilities

 

Zero-day Vulnerabilities fixed:

  • Microsoft classifies a zero-day vulnerability as one that is either publicly disclosed or actively exploited while no official fix is available.

 

RISK SCORING

CVE-ID                                  CVSSv3 Score

CVE-2024-38014               7.8

CVE-2024-38217                5.4

CVE-2024-38226                7.3

CVE-2024-43491               9.8

 

VULNERABILITY DETAILS

The three actively exploited zero-day vulnerabilities patched in last Tuesday’s updates are:

  1. CVE-2024-38014 – Windows Installer Elevation of Privilege Vulnerability: This flaw allows attackers to gain SYSTEM privileges on Windows systems. Microsoft hasn’t provided details on how it was used in attacks.
  2. CVE-2024-38217 – Windows Mark of the Web (MOTW) Security Bypass Vulnerability: Publicly disclosed by Joe Desimone of Elastic Security, this flaw has likely been exploited since 2018. Desimone’s report outlines ‘LNK stomping,’ a technique using specially crafted LNK files to bypass Smart App Control and MOTW security warnings, allowing malicious files to be opened without alerts.
  3. CVE-2024-38226 – Microsoft Publisher Security Feature Bypass Vulnerability: This vulnerability allows attackers to bypass Office macro policies that block untrusted or malicious files. Microsoft has not revealed the source of this discovery or how it was exploited.

 

PUBLICLY DISCLOSED ZERO-DAY

CVE-2024-43491 – Microsoft Windows Update Remote Code Execution Vulnerability

This flaw in the servicing stack, though labeled as remote code execution, actually rolls back fixes for older vulnerabilities in certain Windows components. Specifically, it affects Windows 10 version 1507 (released in July 2015) and certain supported versions like Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB.  Microsoft clarified that while the flaw reintroduces previously exploited vulnerabilities, there is no evidence it was known or exploited externally before being discovered internally by Microsoft.  According to Microsoft’s advisory, systems that installed updates, including the March 2024 security update (KB5035858) through August 2024, were vulnerable to previously mitigated flaws being reintroduced in components such as Active Directory Lightweight Directory Services, Internet Explorer 11, and Windows Media Player.

 

RECOMMENDATIONS

  • Apply security patches to all affected systems.
  • CVE-2024-43491 is resolved by installing both the September 2024 Servicing Stack Update (KB5043936) and the September 2024 Windows security update (KB5043083) in-sequence.

 

REFERENCES