Multiple Vulnerabilities in ArubaNetworks Instant Access Point Could Allow for Arbitrary Code Execution
by CIRT Team
DESCRIPTION:
Multiple vulnerabilities have been discovered in ArubaNetwork’s Instant
Access Point that could allow for arbitrary code execution. Aruba (a
Hewlett Packard Enterprise company) is the worldwide second-largest
enterprise WLAN vendor. ArubaNetworks Instant Access Point is Wi-Fi
hardware which virtualizes Aruba Mobility Controller capabilities on
802.11 access points (APs). Successful exploitation of these
vulnerabilities could allow an attacker to execute arbitrary code in
context of the user running the application. Depending on the privileges
associated with the user, an attacker could then install programs; view,
change, or delete data; or create new accounts with full user rights.
Users whose accounts are configured to have fewer user rights on the
system could be less impacted than those who operate with administrative
user rights.
IMPACT:
SYSTEM AFFECTED:
Multiple vulnerabilities have been discovered in ArubaNetwork’s Instant
Access Point, the most severe of which could allow for arbitrary code
execution. Details of these vulnerabilities are as follows:
* An authenticated command injection vulnerability exists in the Aruba
Instant command line interface. Successful exploitation of these
vulnerabilities results in the ability to execute arbitrary commands as
a privileged user on the underlying operating system. This allows an
attacker to fully compromise the underlying access point operating
system. (CVE-2020-24635, CVE-2021-25146)
* There are multiple buffer overflow vulnerabilities that could lead to
unauthenticated remote code execution by sending especially crafted
packets destined to the PAPI (Aruba Networks AP management protocol) UDP
port (8211). Successful exploitation of these vulnerabilities results in
the ability to execute arbitrary code as a privileged user on the
underlying operating system. (CVE-2019-5319, CVE-2021-25144, CVE-2021-25149)
Successful exploitation of the most severe of these vulnerabilities
could allow for arbitrary code execution in the context of the logged-on
user. Depending on the privileges associated with the user, an attacker
could then install programs; view, change, or delete data; or create new
accounts with full user rights. Users whose accounts are configured to
have fewer user rights on the system could be less impacted than those
who operate with administrative user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
* Block external access at the network boundary, unless external parties
require service.
* Filter access to the affected computer at the network boundary if
global access isn’t needed. Restricting access to only trusted computers
and networks might greatly reduce the likelihood of a successful exploit.
* Deploy network intrusion detection systems to monitor network traffic
for malicious activity.
* Deploy NIDS to detect and block attacks and anomalous activity such as
requests containing suspicious network traffic.
REFERENCES:
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txt
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5319
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24635
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25146
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25149
Recommended Posts
Cyber Threat Alert: Surge in Attacks via Compromised Third-Party Service Providers
08 Feb 2024 - Articles, English articles, Security Advisories & Alerts
Subscribe here
MEMBER OF:
