Multiple vulnerabilities in ArubaOS and Aruba SD-WAN



Published: 2023-03-01
Risk High
Patch available YES
Number of vulnerabilities 33
CVE-ID CVE-2023-22764
CVE-2023-22778
CVE-2023-22777
CVE-2023-22776
CVE-2023-22775
CVE-2023-22774
CVE-2023-22773
CVE-2023-22772
CVE-2023-22771
CVE-2023-22770
CVE-2023-22769
CVE-2023-22768
CVE-2023-22767
CVE-2023-22766
CVE-2023-22765
CVE-2023-22763
CVE-2023-22747
CVE-2023-22754
CVE-2023-22748
CVE-2023-22749
CVE-2023-22750
CVE-2023-22751
CVE-2023-22752
CVE-2023-22753
CVE-2023-22755
CVE-2023-22762
CVE-2023-22756
CVE-2023-22757
CVE-2023-22758
CVE-2023-22759
CVE-2023-22760
CVE-2023-22761
CVE-2021-3712
CWE-ID CWE-78
CWE-79
CWE-284
CWE-22
CWE-613
CWE-119
CWE-121
CWE-125
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
ArubaOS
Operating systems & Components / Operating system

SD-WAN
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor Aruba Networks

Security Bulletin

This security bulletin contains information about 33 vulnerabilities.

1) OS Command Injection

EUVDB-ID: #VU72656

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22764

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted arguments via the CLI and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Stored cross-site scripting

EUVDB-ID: #VU72674

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22778

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Improper access control

EUVDB-ID: #VU72673

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22777

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions in the web-based management interface. A remote user can bypass implemented security restrictions and read arbitrary files on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Path traversal

EUVDB-ID: #VU72672

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22776

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a local user to read arbitrary files on the device.

The vulnerability exists due to input validation error when processing directory traversal sequences in the CLI. A local user can pass specially crafted arguments to the CLI commands and read arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Improper access control

EUVDB-ID: #VU72671

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22775

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions in the CLI. A local user can bypass implemented security restrictions and gain unauthorized access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Path traversal

EUVDB-ID: #VU72669

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22774

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a local user to delete arbitrary files on the device.

The vulnerability exists due to input validation error when processing directory traversal sequences in the CLI. A local user can pass specially crafted arguments to the CLI commands and delete arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Path traversal

EUVDB-ID: #VU72668

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22773

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a local user to delete arbitrary files on the device.

The vulnerability exists due to input validation error when processing directory traversal sequences in the CLI. A local user can pass specially crafted arguments to the CLI commands and delete arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Path traversal

EUVDB-ID: #VU72667

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22772

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote user to delete arbitrary files on the device.

The vulnerability exists due to input validation error when processing directory traversal sequences in the web-based interface. A remote user can send a specially crafted HTTP request and delete arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Insufficient Session Expiration

EUVDB-ID: #VU72666

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22771

CWE-ID: CWE-613 - Insufficient Session Expiration

Exploit availability: No

Description

The vulnerability allows a local user to gain unauthorized access to system.

The vulnerability exists due to insufficient session expiration issue in the command line interface. A local user can keep an active session on the affected device even after their account has been removed.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) OS Command Injection

EUVDB-ID: #VU72662

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22770

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted arguments via the CLI and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) OS Command Injection

EUVDB-ID: #VU72661

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22769

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted arguments via the CLI and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) OS Command Injection

EUVDB-ID: #VU72660

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22768

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted arguments via the CLI and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) OS Command Injection

EUVDB-ID: #VU72659

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22767

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted arguments via the CLI and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) OS Command Injection

EUVDB-ID: #VU72658

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22766

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted arguments via the CLI and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) OS Command Injection

EUVDB-ID: #VU72657

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22765

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted arguments via the CLI and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

16) OS Command Injection

EUVDB-ID: #VU72655

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22763

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted arguments via the CLI and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

17) OS Command Injection

EUVDB-ID: #VU72638

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22747

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the PAPI Protocol. A remote unauthenticated attacker can send specially crafted packets to port 8211/UDP and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

18) Buffer overflow

EUVDB-ID: #VU72645

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22754

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the PAPI Protocol. A remote attacker can send specially crafted packets to port 8211/UDP, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

19) OS Command Injection

EUVDB-ID: #VU72639

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22748

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the PAPI Protocol. A remote unauthenticated attacker can send specially crafted packets to port 8211/UDP and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

20) OS Command Injection

EUVDB-ID: #VU72640

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22749

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the PAPI Protocol. A remote unauthenticated attacker can send specially crafted packets to port 8211/UDP and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

21) OS Command Injection

EUVDB-ID: #VU72641

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22750

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the PAPI Protocol. A remote unauthenticated attacker can send specially crafted packets to port 8211/UDP and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

22) Stack-based buffer overflow

EUVDB-ID: #VU72642

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22751

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the PAPI Protocol. A remote unauthenticated attacker can send specially crafted packets to the port 8211/UDP, trigger a stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

23) Stack-based buffer overflow

EUVDB-ID: #VU72643

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22752

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the PAPI Protocol. A remote unauthenticated attacker can send specially crafted packets to the port 8211/UDP, trigger a stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

24) Buffer overflow

EUVDB-ID: #VU72644

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22753

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the PAPI Protocol. A remote attacker can send specially crafted packets to port 8211/UDP, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

25) Buffer overflow

EUVDB-ID: #VU72646

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22755

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the PAPI Protocol. A remote attacker can send specially crafted packets to port 8211/UDP, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

26) OS Command Injection

EUVDB-ID: #VU72654

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22762

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the CLI. A local user can pass specially crafted arguments via the CLI and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

27) Buffer overflow

EUVDB-ID: #VU72647

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22756

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the PAPI Protocol. A remote attacker can send specially crafted packets to port 8211/UDP, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

28) Buffer overflow

EUVDB-ID: #VU72648

Risk: High

CVSSv3.1:

CVE-ID: CVE-2023-22757

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the PAPI Protocol. A remote attacker can send specially crafted packets to port 8211/UDP, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

29) OS Command Injection

EUVDB-ID: #VU72650

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22758

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the web-based management interface. A remote authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

30) OS Command Injection

EUVDB-ID: #VU72651

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22759

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the web-based management interface. A remote authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

31) OS Command Injection

EUVDB-ID: #VU72652

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22760

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the web-based management interface. A remote authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

32) OS Command Injection

EUVDB-ID: #VU72653

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2023-22761

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the web-based management interface. A remote authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

ArubaOS: 8.6.0.0 - 10.3.1.0

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

33) Out-of-bounds read

EUVDB-ID: #VU56064

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3712

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing ASN.1 strings related to a confusion with NULL termination of strings in array. A remote attacker can pass specially crafted data to the application to trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SD-WAN: 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.8

ArubaOS: 8.6.0.0 - 10.3.1.0


CPE2.3 External links

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###