关键信息 漏洞标题 HPE Aruba Core Multiple Vulnerabilities 影响的产品 HPE Aruba Core Software version 11.6 and later under certain configuration settings 漏洞详情 CVE-2024-24452: An invalid memory access when handling the ProtocolID field of E-RAB Release Indication messages in ArubaCore MME v11.6 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. CVE-2024-24453: An invalid memory access when handling the ProtocolID field of E-RAB Modify Request Handling messages in ArubaCore MME v11.6 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. CVE-2024-24454: An invalid memory access when handling the ProtocolID field of UE Context Release message in ArubaCore MME v11.6 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. CVE-2024-24455: A buffer overflow vulnerability in ArubaCore MME Triggered by Malformed E-RAB Release Command NAS PDU causes the ArubaCore MME to immediately crash, potentially due to a buffer overflow. CVE-2024-24456: An invalid memory access when handling the ProtocolID field of E-RAB Setup List Context SLVRES Handling messages in ArubaCore MME v11.6 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. CVE-2024-24457: An invalid memory access when handling the ProtocolID field of S1Setup Request Handling messages in ArubaCore MME v11.6 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. CVSS评分 基本分数:5.9 向量:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:A/A:H 发现者 这些漏洞由Bennett, N., Zhu, W., Simon, B., Kennedy, R., Enzi, W., Tramper, P., Butler, K. (2024)发现。 工作原理 请参阅工作原理部分以获取详细说明。 受影响的版本 ArubaCore versions 11.6 and later 解决方案 升级到ArubaCore 11.6(推荐) 在GUI中,转到Monitoring -> Utilities -> Process menu,禁用“MME (OLD)”进程并启用“MME”进程。 将配置从“MME”配置页面迁移到“WMME”(增强型MME)配置页面。 公开披露政策 这些漏洞是通过协调公开披露的。HPE Aruba Networking对任何利用这些漏洞或专门针对HPE Aruba networking产品的技术概不负责。