HPE Aruba Networking addressed four critical remote code execution vulnerabilities impacting its ArubaOS network operating system.

HPE Aruba Networking released April 2024 security updates that addressed four critical remote code execution (RCE) vulnerabilities affecting multiple versions of the network operating system ArubaOS.

The four vulnerabilities are unauthenticated buffer overflow issues that could be exploited to remotely execute arbitrary code.

The four critical RCE vulnerabilities are: 

• CVE-2024-26305 – Unauthenticated Buffer Overflow Vulnerability in the Utility Daemon Accessed via the PAPI Protocol. The exploitation of the issue could result in unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). An attacker can trigger the issue to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-26304 – Unauthenticated Buffer Overflow Vulnerability in the L2/L3 Management Service Accessed via the PAPI Protocol. The exploitation of the issue could result in unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). An attacker can trigger the issue to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-33511 – Unauthenticated Buffer Overflow Vulnerability in the Automatic Reporting Service Accessed via the PAPI Protocol. An unauthenticated remote attacker can achieve code execution by sending specially crafted packets to the PAPI UDP port (8211). Successful exploitation allows to execute arbitrary code as a privileged user on the underlying operating system.
• CVE-2024-33512 – Unauthenticated Buffer Overflow Vulnerability in the Local User Authentication Database Accessed via the PAPI Protocol. The exploitation of the flaw can allow unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port (8211). Successfully exploiting this vulnerability allows executing arbitrary code as a privileged user on the underlying operating system.

Below is the list of impacted products and software versions:

HPE Aruba Networking 
  - Mobility Conductor (formerly Mobility Master) 
  - Mobility Controllers 
  - WLAN Gateways and SD-WAN Gateways managed by Aruba Central 
  
Affected Software Versions: 
  - ArubaOS 10.5.x.x:       10.5.1.0 and below 
  - ArubaOS 10.4.x.x:       10.4.1.0 and below 
  - ArubaOS 8.11.x.x:       8.11.2.1 and below 
  - ArubaOS 8.10.x.x:       8.10.0.10 and below 
  
The following ArubaOS and SD-WAN software versions that are End 
of Maintenance are affected by these vulnerabilities and are not 
patched by this advisory: 
  - ArubaOS 10.3.x.x:          all 
  - ArubaOS 8.9.x.x:           all 
  - ArubaOS 8.8.x.x:           all 
  - ArubaOS 8.7.x.x:           all 
  - ArubaOS 8.6.x.x:           all 
  - ArubaOS 6.5.4.x:           all 
  - SD-WAN 8.7.0.0-2.3.0.x:    all 
  - SD-WAN 8.6.0.4-2.2.x.x:    all 

HPE Aruba Networking suggests enabling the Enhanced PAPI Security feature with a non-default key to mitigate the vulnerabilities. This mitigation works in ArubaOS 8.x, however, for ArubaOS 10.x, this vulnerability does not apply. Upgrading to one of the recommended ArubaOS 10.x versions will address the other vulnerabilities mentioned in the advisory.

At the time of this publishing, the vendor is not aware of attacks in the wild exploiting one of the flaws addressed by the April 2024 security updates.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, HPE Aruba)

Government agencies from the US, Canada and the UK warn of Russian threat actors targeting critical infrastructure in North America and Europe

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), United States Department of Agriculture (USDA), Food and Drug Administration (FDA), Multi-State Information Sharing and Analysis Center (MS-ISAC), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) published a joint advisory to warn of pro-Russia hacktivist groups targeting critical infrastructure organizations in North America and Europe.

The attacks focus on industrial control systems (ICS) and other operational technology (OT) systems in the target infrastructure.

Pro-Russia hacktivists have been targeting and compromising small-scale Operational Technology (OT) systems in North American and European Water and Wastewater Systems (WWS), Dams, Energy, and Food and Agriculture Sectors. They aim to exploit modular, internet-exposed Industrial Control Systems (ICS), targeting software components like human machine interfaces (HMIs). The threat actors were observed using methods such as exploiting virtual network computing (VNC) remote access software and default passwords.

The malicious activity began in 2022 and is still ongoing. The government agencies urge OT operators in critical infrastructure sectors to implement a set of mitigations provided in the advisory.

“Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects. However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.” reads the joint advisory. “Pro-Russia hacktivists have been observed gaining remote access via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs’ factory default passwords and weak passwords without multifactor authentication.”

The pro-Russia hacktivists tend to over exaggerate their the effects of the attacks. Since 2022, they have claimed on social platforms to have carried out disruptive cyber operations, including distributed denial of service and data wiping against numerous North American and international entities. However, reports from victims downplayed the effects of the attacks.

In early 2024, several U.S.-based water and wastewater systems (WWS) victims faced limited physical disruptions after attackers hacked into their Human Machine Interfaces (HMIs). The hacktivists altered settings, exceeded normal operating parameters of water pumps and blower equipment, disabled alarm mechanisms, and changed administrative passwords to lock out operators.

“In each case, the hacktivists maxed out set points, altered other settings, turned off alarm mechanisms, and changed administrative passwords to lock out the WWS operators. Some victims experienced minor tank overflow events; however, most victims reverted to manual controls in the immediate aftermath and quickly restored operations.” concludes the advisory.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, critical infrastructure)

A Ukrainian national, a member of the REvil group, has been sentenced to more than 13 years in prison for his role in extortion activities.

The Ukrainian national, Yaroslav Vasinskyi (24), aka Rabotnik, has been sentenced to more than 13 years in prison and must pay $16 million in restitution for conducting numerous ransomware attacks and extorting victims.

The man is a member of the REvil ransomware gang and was sentenced for his role in carrying out more than 2,500 ransomware attacks and demanding over $700 million in ransom payments.

In November 2021, the US Department of Justice charged Vasinskyi, REvil ransomware affiliate, for orchestrating the ransomware attacks on Kaseya MSP platform that took place on July 4, 2021.

Vasinskyi (aka Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) was arrested on October 8, 2021, while he was trying to enter Poland. Vasinskyi was extradited to the U.S. in March 2022.

Vasinskyi is a REvil ransomware affiliate since at least March 1st, 2019.

“According to court documents, Yaroslav Vasinskyi, also known as Rabotnik, 24, conducted thousands of ransomware attacks using the ransomware variant known as Sodinokibi/REvil.” reads the press release published by DoJ. “Ransomware is malicious software designed to encrypt data on victim computers, allowing bad actors the ability to demand a ransom payment in exchange for the decryption key.” The co-conspirators demanded ransom payments in cryptocurrency and used cryptocurrency exchangers and mixing services to hide their ill-gotten gains. To drive their ransom demands higher, Sodinokibi/REvil co-conspirators also publicly exposed their victims’ data when victims would not pay ransom demands.”

Vasinskyi had previously pleaded guilty in the Northern District of Texas to an 11-count indictment. The charges included conspiracy to commit fraud and computer-related activity, damaging protected computers, and conspiracy to commit money laundering. In a related matter, in 2023, the Department concluded the forfeiture of millions of dollars’ worth of ransom payments through two connected civil forfeiture cases. This included seizing 39.89138522 Bitcoin and $6.1 million in U.S. dollars linked to purported ransom payments received by other members of the conspiracy.

“Deploying the REvil ransomware variant, the defendant reached out across the globe to demand hundreds of millions of dollars from U.S. victims,” said Deputy Attorney General Lisa Monaco. “But this case shows the Justice Department’s reach is also global—working with our international partners, we are bringing to justice those who target U.S. victims, and we are disrupting the broader cybercrime ecosystem.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)