Aruba Networks has released a security advisory to inform customers of six critical-severity vulnerabilities affecting multiple versions of ArubaOS, its proprietary network operating system.

The flaws affect Aruba Mobility Conductor, Aruba Mobility Controllers, and Aruba-managed WLAN and SD-WAN gateways.

Aruba Networks is a California subsidiary of Hewlett Packard Enterprise, specializing in computer networks and wireless connectivity solutions.

The critical flaws addressed by Aruba this time can be separated into two categories: command injection flaws and stack-based buffer overflow issues in the PAPI protocol (Aruba Networks Access Point Management Protocol ).

All flaws were discovered by security analyst Erik de Jong, who reported them to the vendor through the official bug bounty program.

Command injection vulnerabilities are tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749And CVE-2023-22750with a CVSS v3 rating of 9.8 out of 10.0.

A remote, unauthenticated attacker can exploit them by sending specially crafted packets to the PAPI over UDP port 8211, which results in the execution of arbitrary code as a privileged user on ArubaOS.

Stack-based buffer overflow bugs are tracked as CVE-2023-22751 And CVE-2023-22752and also have a CVSS v3 rating of 9.8.

These flaws are exploitable by sending specially crafted packets to the PAPI via UDP port 8211, allowing remote, unauthenticated attackers to execute arbitrary code as privileged users on ArubaOS.

The affected versions are:

• ArubaOS 8.6.0.19 and earlier
• ArubaOS 8.10.0.4 and earlier
• ArubaOS 10.3.1.0 and earlier
• SD-WAN 8.7.0.0-2.3.0.8 and earlier

The target upgrade versions, according to Aruba, should be:

• ArubaOS 8.10.0.5 and above
• ArubaOS 8.11.0.0 and above
• ArubaOS 10.3.1.1 and higher
• SD-WAN 8.7.0.0-2.3.0.9 and later

Unfortunately, several product versions that have reached end of life (EoL) are also affected by these vulnerabilities and will not receive a patch update. These are:

• ArubaOS 6.5.4.x
• ArubaOS 8.7.xx
• ArubaOS 8.8.xx
• ArubaOS 8.9.xx
• SD-WAN 8.6.0.4-2.2.xx

A workaround for system administrators who cannot apply security updates or who use EoL devices is to enable “Enhanced PAPI Security” mode using a non-default key.

However, applying the mitigations does not resolve the remaining 15 high-severity and eight medium-severity vulnerabilities listed in Aruba Safety Noticewhich are corrected by the new versions.

Aruba states that it is not aware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the advisory’s publication date, February 28, 2022.