ArubaOS < 8.10.0.10 / 8.11.2.1 / 10.4.1.0 / 10.5.1.0 Multiple Vulnerabilities (ARUBA-PSA-2024-002)

high Nessus Plugin ID 191712

Synopsis

An application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of ArubaOS installed on the remote host is 8.x prior to 8.10.0.10, 8.11 prior to 8.11.2.1, 10.4 prior to 10.4.1.0, or 10.5 prior to 10.5.1.0. It is, therefore, affected by multiple vulnerabilities including:

- An authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. (CVE-2024-1356, CVE-2024-25611, CVE-2024-25612, CVE-2024-25613)

- There is an arbitrary file deletion vulnerability in the CLI used by ArubaOS. Successful exploitation of this vulnerability results in the ability to delete arbitrary files on the underlying operating system, which could lead to denial-of-service conditions and impact the integrity of the controller. (CVE-2024-25614)
- An unauthenticated Denial-of-Service (DoS) vulnerability exists in the Spectrum service accessed via the PAPI protocol in ArubaOS 8.x. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected service. (CVE-2024-25615)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to the ArubaOS version mentioned in the vendor advisory.

See Also

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-002.txt

Plugin Details

Severity: High

ID: 191712

File Name: arubaos-aruba-psa-2024-002.nasl

Version: 1.2

Type: combined

Family: Misc.

Published: 3/7/2024

Updated: 5/2/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C

CVSS Score Source: CVE-2024-25611

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2024-25613

Vulnerability Information

CPE: cpe:/o:arubanetworks:arubaos, cpe:/o:hp:arubaos

Required KB Items: installed_sw/ArubaOS

Exploit Ease: No known exploits are available

Patch Publication Date: 3/5/2024

Vulnerability Publication Date: 3/5/2024

Reference Information

CVE: CVE-2024-1356, CVE-2024-25611, CVE-2024-25612, CVE-2024-25613, CVE-2024-25614, CVE-2024-25615, CVE-2024-25616

IAVA: 2024-A-0136-S