Wi-Fi encryption bypass in Aruba devices
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-47522 |
| CWE-ID | CWE-311 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ArubaOS Operating systems & Components / Operating system Aruba Instant Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | Aruba Networks |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Missing Encryption of Sensitive Data
EUVDB-ID: #VU74346
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-47522
CWE-ID:
CWE-311 - Missing Encryption of Sensitive Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the way Wi-Fi devices manage transmit queues. A remote attacker can force the device to send traffic unencrypted by manipulating the transmit queues.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsArubaOS: 6.1.2.3 - 10.4.0.0
Aruba Instant: 4.2.4.17 - 8.10.0.2
External linkshttp://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-005.txt
http://papers.mathyvanhoef.com/usenix2023-wifi.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
