CVE-2022-37904 — Write-what-where Condition in Arubaos

CWE-123 — Write-what-where Condition CWE-94 — Code Injection3 documents3 sources

Severity

8.8HIGHNVD

CNA6.6

EPSS

0.8%

top 26.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arubanetworks Arubaos Arubanetworks Sd-wan

Timeline

PublishedDec 12

Description

Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDarubanetworks/arubaos6.5.4.0 — 6.5.4.22+4

▶NVDarubanetworks/sd-wan8.7.0.0-2.3.0.0 — 8.7.0.0-2.3.0.6

🔴Vulnerability Details

GHSA

GHSA-pxcm-w3r6-w362: Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence↗2022-12-12

▶

CVEList

CVE-2022-37904: Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence↗2022-11-03

▶