Security updates have been released for the ArubaOS firmware of devices from the HPE subsidiary. These updates aim to improve vulnerabilities that could potentially allow attackers to introduce malicious code into the network. IT managers are advised to download and apply the updates promptly.
In total, nine security gaps have been sealed by Aruba, with one just narrowly missing the “critical” risk rating. Four of these gaps are considered high-risk, while the remaining five are classified as medium-risk by the manufacturer.
One vulnerability of note is in the ArubaOS web-based management interface. It allows unauthenticated attackers to perform a Stored Cross-Site Scripting (XSS) attack on users of the web interface. This enables them to run arbitrary script code in a victim’s browser after a successful attack. Another vulnerability allows registered users to remotely inject commands into the web interface, which are executed as privileged users in the underlying operating system. Similar vulnerabilities can be found in the ArubaOS command line interface.
Aruba’s security notification states that HPE Aruba Mobility Conductor, Mobility Controller, as well as WLAN and SD-WAN gateways managed with Aruba Central, are affected. The vulnerable software versions include ArubaOS 10.4.0.1, 8.11.1.0, 8.10.0.6, and 8.6.0.20. Some of these vulnerabilities also impact older software versions that are no longer supported and will not receive updates to address the security holes. Only the latest software versions, starting from ArubaOS 10.4.0.2, 8.11.1.1, 8.10.0.7, and 8.6.0.21, are available to address these vulnerabilities.
Earlier in May, Aruba released updates for their access points to address critical security gaps that could have been exploited by attackers to compromise the devices.