These upgrades are available to customers through the Internet Provisioning Portal. Customers should upgrade their devices as soon as possible to prevent possible exploitation of these vulnerabilities. Additionally, these vulnerabilities are also addressed in the following releases: ArubaOS 10.4.x: 10.4.6.17 and below; ArubaOS 10.5.x: 10.5.3.5 and below; ArubaOS 10.6.x: 10.6.0.28 and below; ArubaOS 10.7.x: 10.7.1.14 and below; ArubaOS 10.8.x: 10.8.1.1 and below; ArubaOS 10.9.x: 10.9.0.1 and below; ArubaOS 10.10.x: 10.10.0.6 and below; ArubaOS 11.0.x: 11.0.0.0 and below. There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6
Summary of Reported Vulnerabilities
Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5-0-1-15 and below; ArubaOS 10.6.x: 10.6.0-28 and below; ArubaOS 10.7
Hardware and Software Requirements
The vulnerabilities addressed in this advisory affect the following operating systems: Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5
Hardware requirements for these vulnerabilities are as follows:
- For Aruba InstantOS 6.4 and below, all models need to be upgraded to the latest available minor release (6.5).
- For Aruba InstantOS 6.5, only devices with the "PCIe" or "Express" network card need updating (as per release note).
Software requirements are as follows:
- For Aruba InstantOS 6.(x) releases, software versions need to be at least 12 hours old on the system (that is, they must have been installed on the device already before June 16th 2018).
Concerns for Aruba Networks customers
Customers are encouraged to upgrade their devices as soon as possible and contact Aruba Networks Technical Support for assistance.
Vulnerability details
The following vulnerabilities have been identified:
CVE-2022-37886 - Buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211).
ArubaOS 10.4.x: 10.4.6.17 and below; ArubaOS 10.5.x: 10.5.3.5 and below; ArubaOS 10.6.x: 10.6.0.28 and below; ArubaOS 10.7.x: 10.7.1.14 and below; ArubaOS 10.8.x: 10 8 1 0 1 and below; ArubaOS 10 .9 .x :10 9 0 0 1 and below ; Aruba OS 11 .0 . x : 11 0 0 0 1
There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba Instant OS 6 4 4 4 8 - 4 2 4 4 20 and below
Timeline
Published on: 10/07/2022 18:15:00 UTC
Last modified on: 10/11/2022 17:50:00 UTC