HPE Aruba Access Points AOS-10 Command Injection Vulnerability Allowing Arbitrary Command Execution

A vulnerability exists in the configuration processing logic of HPE Aruba Access Points running AOS-10. This vulnerability allows an authenticated remote attacker to execute arbitrary system commands under certain pre-existing conditions. The issue arises from inconsistent input filtering, which can be exploited to inject commands that are executed in a restricted shell environment. Successful exploitation could lead to unauthorized command execution on the underlying operating system. It is important to note that Access Points running AOS-8 Instant software are not affected by this vulnerability.

Impact

Exploitation of this vulnerability could result in authenticated command injection, allowing attackers to execute arbitrary commands on the device's operating system. This could lead to unauthorized access, manipulation of system functions, or potential escalation of privileges, depending on the nature of the executed commands.

Remediation

To address this vulnerability, HPE recommends upgrading to AOS-10 AP version 10.8.0.1 and above or 10.7.2.3 and above. For Access Points running AOS-8 Instant, the recommended version is 8.13.1.2 and above. Instructions for downloading the updated software are available on the HPE Networking Support Portal.