HPE Aruba Networking AOS-8 and AOS-10 Command Injection Vulnerability Allowing Arbitrary File Upload and Potential Remote Code Execution

A command injection vulnerability has been identified in the web-based management interface of HPE Aruba Networking Operating Systems AOS-8 and AOS-10. This vulnerability allows authenticated remote attackers to upload arbitrary files to the underlying operating system, which could lead to remote code execution as a privileged user. The issue arises from improper input validation in the file path parameter of the certificate download functionality.

Impact

Exploitation of this vulnerability could result in unauthorized arbitrary file uploads, with the potential for remote code execution on the affected system as a privileged user.

Remediation

Users can upgrade to AOS-10.8.x.x (10.8.0.1 and above), AOS-10.7.x.x (10.7.2.3 and above), AOS-10.4.x.x (10.4.1.11 and above), AOS-8.13.x.x (8.13.1.2 and above), AOS-8.12.x.x (8.12.0.7 and above) or AOS-8.10.x.x (8.10.0.22 and above). HPE Aruba Networking does not patch AOS-10 Gateway and AOS-8 Controller/Mobility Conductor software branches that have reached their End of Maintenance (EoM) milestone.