HPE Aruba Networking AOS-8 and AOS-10 Authenticated Remote Code Execution Vulnerability

A vulnerability allowing authenticated remote code execution exists in the web-based management interface of HPE Aruba Networking AOS-8 and AOS-10. This issue arises from improper input validation in the file path parameter of the certificate download functionality, which could enable an authenticated remote attacker to overwrite arbitrary files on the underlying operating system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary commands on the operating system as a privileged user.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands on the underlying operating system with elevated privileges, potentially allowing for a full system compromise.

Remediation

Users can upgrade to AOS-10.8.x.x (10.8.0.1 and above), AOS-10.7.x.x (10.7.2.3 and above), AOS-10.4.x.x (10.4.1.11 and above), AOS-8.13.x.x (8.13.1.2 and above), AOS-8.12.x.x (8.12.0.7 and above) or AOS-8.10.x.x (8.10.0.22 and above). HPE Aruba Networking does not evaluate or patch AOS-10 Gateway and AOS-8 Controller/Mobility Conductor software branches that have reached their End of Maintenance (EoM) milestone.