These upgrades are available to customers through the Internet Provisioning Portal. Customers should upgrade their devices as soon as possible to prevent possible exploitation of these vulnerabilities. Additionally, these vulnerabilities are also addressed in the following releases: ArubaOS 10.4.x: 10.4.6.17 and below; ArubaOS 10.5.x: 10.5.3.5 and below; ArubaOS 10.6.x: 10.6.0.28 and below; ArubaOS 10.7.x: 10.7.1.14 and below; ArubaOS 10.8.x: 10.8.1.1 and below; ArubaOS 10.9.x: 10.9.0.1 and below; ArubaOS 10.10.x: 10.10.0.6 and below; ArubaOS 11.0.x: 11.0.0.0 and below. There are buffer overflow vulnerabilities in multiple underlying services that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6
What to do if you are currently using an Aruba product
If you are currently using Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5, customers should take the following steps to upgrade their devices as soon as possible:
1) Upgrade to ArubaOS 10.6 or later releases to address the vulnerabilities addressed in this release and any future vulnerability associated with CVE-2022-37889;
2) Upgrade the firmware of devices running Aruba InstantOS 6.4 to a release that fixes the vulnerabilities addressed in this release;
3) Upgrade to firmware of devices running Aruba InstantOS 6.5 that has fixed the vulnerabilities addressed in this release;
3) Administrators can contact support@arubanetworksupportcenter if they need additional assistance with upgrading their device or still have questions about these vulnerabilities, including answers on how these vulnerabilities may be exploited
Summary of the vulnerabilities
Buffer overflow vulnerabilities exist in the PAPI (Aruba Networks AP management protocol) UDP port (8211). These vulnerabilities are addressed in Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5x: 6.5.0, 6.5p1, and 6.5r1; Aruba InstantOS 7: 7a and below; Aruba InstantOS 8: 8a and below; Aruba InstantOS 9: 9a and below; Aruba InstantOS 10: 10a and below; Aruba InstantOS 11: 11b and below.
How to Get Started
If you are running Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5, you should upgrade your devices to Aruba InstantOS 10.0 or 10.1 as soon as possible to prevent the exploit of these vulnerabilities in the future. Additionally, these vulnerabilities are also addressed in the following releases: Aruba OS 10.4-10: 10.6-10; Aruba OS 11-11: 11
Summary of Vulnerabilities - CVE-2017-8852
These vulnerabilities are exploitable only if the device is running ArubaOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.1-6 and below; Aruba InstantOS 6.6.x: 6.6-3 and below; or Aruba InstantOS 7.*: 7.*-1, 2, 3, 4, 5, and below
Timeline
Published on: 10/07/2022 18:15:00 UTC
Last modified on: 11/09/2022 03:59:00 UTC