HPE Critical RCE Vulnerability

By Kalani Anderson on November 15, 2024

Executive Summary

On November 11, 2024, Hewlett Packard Enterprise (HPE) released a security patch to address several critical vulnerabilities impacting their Aruba Networking Access Point devices.  The vulnerabilities, CVE-2024-42509 and CVE-2024-47460, both allowed for threat actors to obtain system privileges to carry out remote code execution (RCE) attacks against impacted systems.  Users are highly encouraged to update their devices to the most current fixed version as well as harden their systems through UDP port configuration.

Background

HPE is a global edge-to-cloud computing company that provides data services including connection, protection and data analyzation [1].  HPE offers several products including the HPE Aruba Networking Access Point (AP), which expands and improves network capacity of organizations [2].  APs are devices that allow wireless devices to connect to wired networks.  An example is a personal laptop connecting to the WiFi AP in a coffee shop.  Initial discovery of both vulnerabilities was because of HPE’s Aruba Networking bug bounty program, which encourages users to disclose critical vulnerabilities discovered for a cash reward [3].

Both CVE-2024-42509 and CVE-2024-47460 are described as a command injection vulnerability that resides in the command line interface (CLI) service on the Aruba APs.  CVE-2024-42509 was given a base score of 9.8, critical and a CVSS vector /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability did not require user interaction nor privileges to have high impacts on the confidentiality, integrity and availability of services [4].  In comparison CVE-2024-47460 was given as base score of 9.0, critical and a CVSS vector /AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating that the vulnerability also did not require user engagement nor additional privileges to be executed, however the attack complexity is ranked as high making it more difficulty to be conducted than CVE-2024-42509 [5].

Exploitation

While it is believed that the vulnerabilities have not been exploited yet, it has been determined that the vulnerabilities were able to be exploited through creation and sending of malicious network packets to the APS.  Once crafted, packets would be sent to the PAPI (Aruba AP’s Management Protocol) UDP port 8211.  Successful exploitation would allow for threat actors to obtain privileged user credentials and exploit remote code execution attacks on the operating system [5].

Significance and Impact

Both vulnerabilities pose a significant threat if the exploit is successful due to the nature of APs.  Access points are extremely important to secure because they can provide access for threat actors to secure networks.  The potential impact that a successful exploit has is extremely dangerous for an organization connected to that AP.  If successful, threat actors can traverse across networks leading to further data loss, manipulation, and corruption, impacting both system users and the reputation of the organization if sensitive data is negatively impacted [6].

Mitigation

To mitigate risk of the vulnerabilities, owners of Aruba Networking APs running Instant AOS-8 or AOS-10, are strongly encouraged to update their devices if they are using any of the following [7]:

 

AOS-10.4.x.x: 10.4.1.14 and below

Instant AOS–8.12.x.x: 8.12.0.2 and below

Instant AOS-8.10.x.x: 8.10.0.13 and below

 

Additionally, users that are unable to apply the security patch can implement 2 different workarounds.  These include enabling cluster security for devices that are using AOS-8 and Blocking access to UDP port 8211 from any untrusted network for devices using AOS-10 [8].

Conclusion

HPE’s Critical RCE Vulnerability further demonstrates the importance of exercising safe cybersecurity practices through patch application and vulnerability awareness.  It is vital that organizations providing services to clients maintain their system’s integrity by continuing to support the shortening of the vulnerability lifecycle.  Funding and encouraging individuals to find and disclose vulnerabilities, provide organizations the ability to address and mitigate vulnerabilities in a timely fashion; ideally before they are exploited on their client’s networks.  For users, maintaining system security by applying the released updates is essential.

 

 

 

References

[1] Hewlett Packard Enterprise. (n.d.). About us. https://www.hpe.com/us/en/about.html

[2] Hewlett Packard Enterprise. (n.d.). HPE Aruba Networking Access Points. https://www.hpe.com/us/en/aruba-access-points.html

[3] Bugcrowd. (2024, September 5). HPE Aruba Networking Product Public Program. https://bugcrowd.com/engagements/aruba-product-public

[4] NIST. (2024, November 5). CVE-2024-42509 Detail. https://nvd.nist.gov/vuln/detail/cve-2024-42509

[5] NIST. (2024, November 5). CVE-2024-47460 Detail. https://nvd.nist.gov/vuln/detail/cve-2024-47460

[6] Nile. (n.d.). What Is A Rogue Access Point & How To Protect Against Them. https://nilesecure.com/network-security/what-is-a-rogue-access-point-how-to-protect-against-them#:~:text=Data%20breaches&text=These%20unauthorized%20APs%20can%20provide,damage%20to%20the%20organization’s%20reputation

[7] Hewlett Packard Enterprise. (2024, November 5). Security Bulletin. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04722en_us&docLocale=en_US

[8] Ramos, A. (2024, November 7). CVE-2024-42509, CVE-2024-47460: Critical RCE Vulnerabilities Impacting HPE Aruba Networking Access Points. https://arcticwolf.com/resources/blog/cve-2024-42509-cve-2024-47460/

Related Posts