Introduction

This document addresses critical security vulnerabilities identified in Cisco’s Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB) access points and HPE Aruba’s access points. These vulnerabilities pose significant risks, including unauthorized command execution and potential system control by attackers. The document outlines the nature of these vulnerabilities, affected devices [1] [3] [7] [8] [9] [10], and recommended mitigation strategies.

Description

Cisco has disclosed a critical command injection vulnerability [3] [8] [9], tracked as CVE-2024-20418 [1] [2] [3] [4] [7] [10], in the web-based management interface of its Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB) access points [6] [9] [10] [12]. This severe vulnerability [2] [3], which has a maximum CVSS score of 10.0 [2] [3], specifically affects the Catalyst IW9165D Heavy Duty Access Points [3] [4] [8], Catalyst IW9165E Rugged Access Points [3] [4] [8] [10] [12], and Catalyst IW9167E Heavy Duty Access Points [3] [4] [8] [10] [12]. The flaw arises from improper input validation [2] [3] [7] [9] [12], allowing unauthenticated remote attackers to inject and execute arbitrary commands with root privileges on the affected devices by sending specially crafted HTTP requests. Successful exploitation could enable attackers to gain unauthorized control over the device’s operating system, replace files on the file system [5], add users with root privileges [5], modify device configurations [5], execute arbitrary code [1] [3] [5] [8] [10] [11] [12], or cause a permanent denial of service (DoS) condition [5].

To determine if a device is vulnerable [1], users can execute the “show mpls-config” CLI command; if this command is available, it indicates that URWB mode is enabled, placing the device at risk. Cisco has confirmed that devices not operating in URWB mode, including the 6300 Series Embedded Services Access Points [2], Aironet models [2], and Catalyst 9100 Series Access Points [2], are not affected by this vulnerability [4]. The company has released software updates, specifically version 17.15.1, to mitigate the issue [2], and users on versions 17.14 and earlier are urged to promptly apply the patch, as there are no workarounds available [1] [2] [3] [7]. Cisco’s Product Security Incident Response Team (PSIRT) has not received reports of active exploitation or public announcements regarding this vulnerability [3].

In addition to the vulnerabilities in Cisco’s URWB access points, HPE Aruba has reported a severe unauthenticated command injection vulnerability [7], tracked as CVE-2024-42509 [1] [2] [7] [10], affecting its access points [7]. This flaw, which has a CVSS score of 9.8, allows attackers to exploit the PAPI protocol’s UDP port (8211) to remotely execute privileged code on affected devices [7]. Other vulnerabilities in Aruba’s access points include CVE-2024-47460 [7], which also allows arbitrary code execution via specially crafted packets [7], as well as several authenticated Remote Code Execution (RCE) issues [7]. HPE Aruba advises users to apply the latest patches for AOS-10 and AOS-8 versions to mitigate these vulnerabilities and suggests implementing network segmentation or firewall restrictions as interim measures [7].

To enhance security against potential exploits [5], it is advised to establish a documented vulnerability management process, perform automated application patch management [5], conduct regular automated vulnerability scans [5], and remediate detected vulnerabilities promptly [5]. Additionally, applying the Principle of Least Privilege [5], managing default accounts [5], restricting administrator privileges [5], and deploying network intrusion detection and prevention solutions are recommended practices. Cisco emphasizes the importance of manufacturers implementing secure design principles to prevent such flaws [4]. For further details [9], users are encouraged to refer to the vendor’s advisory. Customers without service contracts should contact the Cisco Technical Assistance Center (TAC) for assistance in obtaining updates [2]. Security practitioners managing industrial or critical infrastructure networks are urged to promptly update vulnerable devices to avoid high-risk attacks due to the root-level access permitted by this vulnerability.

Conclusion

The vulnerabilities identified in Cisco’s and HPE Aruba’s access points highlight significant security risks that could lead to unauthorized system control and data breaches. Immediate application of the recommended patches and updates is crucial to mitigate these risks. Organizations should also adopt comprehensive security practices, including regular vulnerability assessments and adherence to secure design principles, to safeguard against future threats. Proactive measures and timely updates are essential to protect critical infrastructure from potential exploitation.

References

[1] https://securityaffairs.com/170646/security/cisco-uwrb-crirical-flaw.html
[2] https://cyble.com/blog/critical-bug-in-ciscos-urwb-exposes-systems-to-root-privilege-command-injection/
[3] https://securityonline.info/cve-2024-20418-cvss-10-cisco-urwb-access-points-vulnerable-to-remote-takeover/
[4] https://www.networkworld.com/article/3600993/cisco-iot-wireless-access-points-hit-by-severe-command-injection-flaw.html
[5] https://www.cisecurity.org/advisory/a-vulnerability-in-cisco-unified-industrial-wireless-software-for-ultra-reliable-wireless-backhaul-access-point-could-allow-for-remote-code-execution_2024-123
[6] https://www.tenable.com/cve/CVE-2024-20418
[7] https://socradar.io/critical-vulnerabilities-in-cisco-urwb-and-hpe-aruba-access-points-cve-2024-20418-cve-2024-42509/
[8] https://www.helpnetsecurity.com/2024/11/07/cve-2024-20418/
[9] https://www.cert.be/en/advisory/warning-critical-command-injection-cisco-urwb-root-privileges-perfect-cvss-10-score-patch
[10] https://www.techradar.com/pro/security/cisco-issues-patch-that-fixes-serious-flaw-allowing-possible-industrial-systems-takeover
[11] https://www.darkreading.com/vulnerabilities-threats/cisco-bug-command-injection-attacks
[12] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-backhaul-ap-cmdinj-R7E28Ecs