The onslaught of easily exploitable software vulnerabilities affecting critical software systems and communications infrastructure continues to take the news spotlight. Namely, these are software vulnerabilities affecting the software that runs critical hardware components like routers, chipsets, and even robotics controllers. News of such ‘bugs’ and security flaws has been ripe across company security advisory portals and vulnerability databases. 2021 has been a difficult year for the cybersecurity sector, to say the least. According to the official ‘Community-Developed List of Software & Hardware Weakness Types’ (CWE), among the top software weaknesses of 2021 are; out-of-bounds-write, improper neutralization, out-of-bounds read, and improper input validation.
Yet again, another batch of software vulnerabilities affecting a very significant company has been discovered by security researchers. The software vulnerabilities have been found in Aruba Networks’ ArubaOS product. Fortunately, the issue has been patched however systems that are unpatched to the latest security fix detailed in the next sections are vulnerable to complete system compromise.
Who Are Aruba Networks?
Aruba Networks are a global leader in wireless, wired, and SD-WAN solutions that utilize artificial intelligence to automate and secure networks from edge to cloud. According to their official website, Aruba Networks provide the following products and solutions; wireless products, switches, SD-WAN, security threat management, Aruba ESP (Edge Services Platform), and much more. Hewlett Packard Enterprise owned Aruba Networks is based in California, U.S., and is a multi-billion dollar company that employees over 6000 people.
More About The Software Vulnerabilities
On August 31st, 2021 an official report belonging to the Aruba Product Security Advisory was released. The report reveals that multiple vulnerabilities were discovered mainly affecting the Aruba operating system. There are a total of 10 vulnerabilities reported, among which a few are worthy of special attention, especially a particular critical vulnerability. One of these vulnerabilities is classified as critical, while the others range between high and medium severity.
As far as the critical vulnerability is concerned, the technical details gathered in the report state that the type of this vulnerability is a buffer overflow in the PAPI protocol. This vulnerability, marked with CVE ID code 2021-37716, allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to a boundary error when processing PAPI packets. A remote attacker can send a specially crafted PAPI packet to port 8211/UDP, trigger memory corruption and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in a complete compromise of a vulnerable system.
Vulnerable Software Versions
It is crucial that ArubaOS (Operating System) users are informed about the software versions that are currently vulnerable to the software vulnerability and can be potentially compromised by a remote attacker;
- ArubaOS 8.3.0.x: 22.214.171.124 and below
- ArubaOS 8.5.0.x: 126.96.36.199 and below
- ArubaOS 8.6.0.x: 188.8.131.52 and below
- ArubaOS 8.7.x.x: 184.108.40.206 and below
- SD-WAN-2.2.x.x: 220.127.116.11-18.104.22.168 and below
Important User Information
The following is extremely important information for users of the vulnerable ArubaOS versions listed in the above section. As of now, this software vulnerability has been confirmed as patched (fixed). As per the official report, Aruba Networks is unaware that any of these vulnerabilities have been exploited as of yet. Users must update to the latest software version to mitigate the issue, listed below;
- ArubaOS 8.3.0.x: 22.214.171.124 and above
- ArubaOS 8.5.0.x: 126.96.36.199 and above
- ArubaOS 8.6.0.x: 188.8.131.52 and above
- ArubaOS 8.7.x.x: 184.108.40.206 and above
- ArubaOS 8.8.0.x: 220.127.116.11 and above
- SD-WAN-2.2.x.x: 18.104.22.168-22.214.171.124 and above
- SD-WAN-2.3.x.x: 126.96.36.199-188.8.131.52 and above
Note: The operating system should automatically notify users to update. Alternatively, a manual update should be applied according to the information in the vulnerability report.