Critical Vulnerabilities in ArubaOS

Published on 02 Mar 2023 | Updated on 02 Mar 2023

Aruba Networks has released security updates addressing multiple critical vulnerabilities in its operating system, ArubaOS.

These vulnerabilities are due to command injection flaws (CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750) and stack-based buffer overflow problems (CVE-2023-22751 and CVE-2023-22752) in the PAPI (Aruba Networks access point management protocol).

Successful exploitation of these vulnerabilities could allow a remote and unauthenticated attacker to execute arbitrary code as a privileged user on ArubaOS. This is done by sending a specially crafted packet to the PAPI over UDP port 8211.

The affected versions of ArubaOS, including a few that have reached End of Life (EoL), are as follows:

  • ArubaOS 8.6.0.19 and below
  • ArubaOS 8.10.0.4 and below
  • ArubaOS 10.3.1.0 and below
  • SD-WAN 8.7.0.0-2.3.0.8 and below
  • ArubaOS 6.5.4.x (EoL)
  • ArubaOS 8.7.x.x (EoL)
  • ArubaOS 8.8.x.x (EoL)
  • ArubaOS 8.9.x.x (EoL)
  • SD-WAN 8.6.0.4-2.2.x.x (EoL)


Users and administrators of affected product versions are advised to upgrade to the latest versions immediately. For products which have reached EoL, a workaround is available by enabling the "Enhanced PAPI Security" mode using a non-default key.

More information is available here:

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt

https://www.bleepingcomputer.com/news/security/aruba-networks-fixes-six-critical-vulnerabilities-in-arubaos/