Aruba Networks Patches Six Critical Vulnerabilities
March 1, 2023
Aruba Networks, a subsidiary of Hewlett Packard Enterprise, has released a security advisory to address six critical-severity vulnerabilities impacting multiple versions of ArubaOS. The flaws, tracked as CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, CVE-2023-22750, CVE-2023-22751, and CVE-2023-22752, are command injection and stack-based buffer overflow problems in the PAPI protocol. An unauthenticated, remote attacker can leverage them by sending specially crafted packets to the PAPI over UDP port 8211, resulting in arbitrary code execution as a privileged user on ArubaOS. The vendor has released upgrade versions to address the flaws, however, several product versions that have reached End of Life (EoL) are also affected and will not receive a fixing update. As a workaround, system administrators can enable the “Enhanced PAPI Security” mode using a non-default key. Aruba states that it is unaware of any public discussion, exploit code, or active exploitation of these vulnerabilities as of the release date of the advisory.
- BlackLotus: A Stealthy UEFI Bootkit Bypassing Secure Boot
- Cisco Patches Critical RCE Vulnerability in IP Phones
- Critical Vulnerabilities in PTC Products Patched
- Security Defects in TPM 2.0 Reference Library Expose Devices to Code Execution Attacks
- CISA Adds CVE-2022-36537 to Known Exploited Vulnerabilities Catalog
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.