PDS Cyber Security Advisory:
Advisory Regarding Vulnerabilities in Aruba Instant Access Points
Advisory Type: IT Security
Severity: Critical
Summary: PDS is providing the following communication to build awareness of critical vulnerabilities and patches in Aruba Instant Access Points.
On March 17, 2021 HPE posted a vulnerability bulletin disclosing that multiple critical, vulnerabilities exist in several versions of Aruba Instant Access Points. The software versions affected include:
- Aruba Instant 6.4.x
- Aruba Instant 6.5.x
- Aruba Instant 8.3.x
- Aruba Instant 8.5.x
- Aruba Instant 8.6.x
- Aruba Instant 8.7.x
The vulnerabilities include the following:
- Buffer Overflow Vulnerabilities in the PAPI protocol (3 unique CVEs)
- Authenticated Arbitrary Remote Command Execution (1 CVE)
- Authenticated Arbitrary File Write via CLI (1 CVE)
- Unauthenticated Command Injection via DHCP Options (1 CVE)
- Unauthenticated Denial of Service via PAPI Protocol (1 CVE)
- Unauthenticated Command Injection via Web UI (1 CVE)
- Authenticated Arbitrary File Write via Web UI (2 CVEs)
- Authenticated Remote Command Execution (2 CVEs)
- Authentication Bypass (1 CVE)
- Authenticated Reflected Cross-Site Scripting (1 CVE)
- Unauthenticated Arbitrary File Read via Race Condition Vulnerability (1 CVE)
- Authenticated Arbitrary Directory Create via Web UI (1 CVE)
- Authenticated Arbitrary File Read via Web UI (1 CVE)
- Authenticated Arbitrary File Write via Web UI to Specific Backup File (1 CVE)
- Remote Unauthorized Disclosure of Information (1 CVE)
We strongly advise customers to review the HPE Aruba advisory and upgrade their environments. PDS Architects are available to assist with the upgrades, your Account Director can assist in arranging for this upgrade support.
