HPE Aruba Networking AOS-8 and AOS-10 Access Points, Gateways, and Controllers Security Boundary Bypass Vulnerability via Routing Node Impersonation

A vulnerability exists in HPE Aruba Networking Wireless Operating Systems AOS-8 and AOS-10, affecting Mobility Conductors, Controllers, Gateways, and Access Points. The vulnerability allows an attacker connected to an access point as a standard wired or wireless client to impersonate a gateway using an address-based spoofing technique. This exploitation redirects data streams, enabling interception or modification of traffic intended for the legitimate network gateway, creating a Machine-in-the-Middle (MitM) situation.

Impact

Exploitation of this vulnerability allows for unauthorized interception or modification of data streams, with traffic redirected through an attacker-controlled position, impersonating a legitimate network gateway.

Remediation

To address this vulnerability, HPE Aruba Networking recommends upgrading to AOS-10.8.x.x (10.8.0.1 and above), AOS-10.7.x.x (10.7.2.3 and above), AOS-10.4.x.x (10.4.1.11 and above), AOS-8.13.x.x (8.13.1.2 and above), AOS-8.12.x.x (8.12.0.7 and above), or AOS-8.10.x.x (8.10.0.22 and above). For AOS-10 GW and AOS-8 Controller/Mobility Conductor branches that have reached their End of Maintenance, no upgrade is available.