HPE Aruba Networking addressed four critical remote code execution vulnerabilities impacting its ArubaOS network operating system.

HPE Aruba Networking released April 2024 security updates that addressed four critical remote code execution (RCE) vulnerabilities affecting multiple versions of the network operating system ArubaOS.

The four vulnerabilities are unauthenticated buffer overflow issues that could be exploited to remotely execute arbitrary code.

The four critical RCE vulnerabilities are: 

• CVE-2024-26305 – Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol. The exploitation of the issue could result in unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). An attacker can trigger the issue to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-26304 – Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol. The exploitation of the issue could result in unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). An attacker can trigger the issue to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-33511 – Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol. An unauthenticated remote attacker can achieve code execution by sending specially crafted packets to the PAPI UDP port (8211). Successful exploitation allows to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-33512 – Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol. The exploitation of the flaw can allow unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). Successfully exploiting this vulnerability allows executing arbitrary code as a privileged user on the underlying operating system.

Below is the list of impacted products and software versions:

HPE Aruba Networking 
  - Mobility Conductor (formerly Mobility Master) 
  - Mobility Controllers 
  - WLAN Gateways and SD-WAN Gateways managed by Aruba Central 
  
Affected Software Versions: 
  - ArubaOS 10.5.x.x:       10.5.1.0 and below 
  - ArubaOS 10.4.x.x:       10.4.1.0 and below 
  - ArubaOS 8.11.x.x:       8.11.2.1 and below 
  - ArubaOS 8.10.x.x:       8.10.0.10 and below 
  
The following ArubaOS and SD-WAN software versions that are End 
of Maintenance are affected by these vulnerabilities and are not 
patched by this advisory: 
  - ArubaOS 10.3.x.x:          all 
  - ArubaOS 8.9.x.x:           all 
  - ArubaOS 8.8.x.x:           all 
  - ArubaOS 8.7.x.x:           all 
  - ArubaOS 8.6.x.x:           all 
  - ArubaOS 6.5.4.x:           all 
  - SD-WAN 8.7.0.0-2.3.0.x:    all 
  - SD-WAN 8.6.0.4-2.2.x.x:    all 

HPE Aruba Networking suggests enabling the Enhanced PAPI Security feature with a non-default key to mitigate the vulnerabilities. This mitigation works in ArubaOS 8.x, however, for ArubaOS 10.x, this vulnerability does not apply. Upgrading to one of the recommended ArubaOS 10.x versions will address the other vulnerabilities mentioned in the advisory.

At the time of this publishing, the vendor is not aware of attacks in the wild exploiting one of the flaws addressed by the April 2024 security updates.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, HPE Aruba)

Government agencies from the US, Canada and the UK warn of Russian threat actors targeting critical infrastructure in North America and Europe

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), United States Department of Agriculture (USDA), Food and Drug Administration (FDA), Multi-State Information Sharing and Analysis Center (MS-ISAC), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) published a joint advisory to warn of pro-Russia hacktivist groups targeting critical infrastructure organizations in North America and Europe.

The attacks focus on industrial control systems (ICS) and other operational technology (OT) systems in the target infrastructure.

Pro-Russia hacktivists have been targeting and compromising small-scale Operational Technology (OT) systems in North American and European Water and Wastewater Systems (WWS), Dams, Energy, and Food and Agriculture Sectors. They aim to exploit modular, internet-exposed Industrial Control Systems (ICS), targeting software components like human machine interfaces (HMIs). The threat actors were observed using methods such as exploiting virtual network computing (VNC) remote access software and default passwords.

The malicious activity began in 2022 and is still ongoing. The government agencies urge OT operators in critical infrastructure sectors to implement a set of mitigations provided in the advisory.

“Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects. However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.” reads the joint advisory. “Pro-Russia hacktivists have been observed gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.”

The pro-Russia hacktivists tend to over exaggerate their the effects of the attacks. Since 2022, they have claimed on social platforms to have carried out disruptive cyber operations, including distributed denial of service and data wiping against numerous North American and international entities. However, reports from victims downplayed the effects of the attacks.

In early 2024, several U.S.-based water and wastewater systems (WWS) victims faced limited physical disruptions after attackers hacked into their Human Machine Interfaces (HMIs). The hacktivists altered settings, exceeded normal operating parameters of water pumps and blower equipment, disabled alarm mechanisms, and changed administrative passwords to lock out operators.

“In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.” concludes the advisory.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, critical infrastructure)