Also jeder kann remote den Switch auf machen, so er das web-interface erreichen kann. Dafür gibt es 9.8 von 10 Punkten. Kennt man eigentlich nur von Plasteroutern oder Cisco.
Der von HP vorgeschlagene Workaround sollte man als allgemeine Empfehlung betrachten. Kurz und bündig:
To mitigate the exposure of this vulnerability, HPE Aruba Networking recommends the following mitigation measures:
Restrict access to all management interfaces to a dedicated Layer 2 segment or VLAN to isolate management traffic from general network traffic.
Implement strict policies at Layer 3 and above to control access to management interfaces, permitting only authorized and trusted hosts.
Disable HTTP(S) interfaces on Switched Virtual Interfaces (SVIs) and routed ports wherever management access is not required.
Enforce Control Plane Access Control Lists (ACLs) to protect any REST/HTTP-enabled management interfaces, ensuring only trusted clients are allowed to connect to the HTTPS/RESTendpoints.
Enable comprehensive accounting, logging, and monitoring of all management interface activities to detect and respond to unauthorized access attempts promptly.
Gilt auch für Dienste wie SSH oder SNMP auf den Switchen.