Users are advised to upgrade their Aruba InstantOS devices to the latest available software version. Additionally, users can limit the exposure of their systems to these security vulnerabilities by strictly enforcing firewall rules and restricting unnecessary remote access to their Aruba InstantOS systems. Aruba has released an upgrade for ArubaOS 10.2.x, 10.3.x, 10.4.x, 10.5.x and 10.6.x that address these security vulnerabilities. Users are advised to upgrade their Aruba OS devices to the latest available version. Additionally, users can limit the exposure of their systems to these security vulnerabilities by strictly enforcing firewall rules and restricting unnecessary remote access to their Aruba OS systems. NCC researchers have discovered that Aruba InstantOS devices are vulnerable to a series of buffer overflow vulnerabilities. These vulnerabilities can be exploited by an unauthenticated attacker to execute arbitrary commands on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5.4.23 and below; Aruba InstantOS 8.6.x: 8.6.0.18 and below; Aruba InstantOS 8.7.x: 8.7.1.9 and below; Aruba InstantOS 8.10.x: 8.10.0.1 and below; ArubaOS 10.3.x

Description of the Vulnerabilities

ArubaOS has released an upgrade for ArubaOS 10.2.x, 10.3.x, 10.4.x, 10.5.x and 10.6.x that addresses these security vulnerabilities as well as a network-based workaround for the vulnerabilities in Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS 6.5.x: 6.5 .4 23 and below; Aruba InstantOS 8 .6 .0 .18 and below; Aruba InstantOS 8 .7 .1 9 and below; Aruba InstantOS 8 .10 .0 1 and below; Aruba OS 10 3 .x

Is your Aruba device vulnerable?

To determine if your device is vulnerable, please refer to the following list:
- ArubaOS 6.4.x (6.4.4.8-4.2.4.20)
- ArubaOS 6.5.x (6.5.4.23 and below)
- ArubaOS 8 (8.6-.0-.18)
- ArubaOS 8 (8.7-.1-.9)
- ArubaOS 8 (8.10-.0-.1)
In a nutshell, if your OS is listed on this list then you are vulnerable to exploitation of these vulnerabilities while running any other version of the Aruba OS software!  Unless you have upgraded your system to the latest version of Aruba OS software or have applied a patch for these vulnerabilities, your system is at risk!

Summary of vulnerabilities

Aruba InstantOS devices are vulnerable to a series of buffer overflow vulnerabilities. These vulnerabilities can be exploited by an unauthenticated attacker to execute arbitrary commands on the underlying operating system of Aruba OS, including Aruba OS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba OS 6.5.x: 6.5.4.23 and below; Aruba OS 8.6: 8.6 (0-1); Aruba OS 8:8 (0-1); ArubaOS 10:10 (0-1).

Vulnerability Overview

Unauthenticated attackers can exploit these vulnerabilities by sending crafted packets to the network interface of an Aruba InstantOS device. These vulnerable devices could be exploited remotely via a vulnerability in the web-based management interface (WBMUI) or by compromising a system that uses this interface as a gateway.

The first vulnerability is a buffer overflow vulnerability in the implementation of TCP/IP in Aruba InstantOS 6.4.x: 6.4.4.8-6.2.2.20 and below; Aruba InstantOS 6.5x: 6.5.3-6.5.9; Aruba InstantOS 8: 8-8

Timeline

Published on: 10/07/2022 18:15:00 UTC
Last modified on: 11/09/2022 03:59:00 UTC

References