CVE-2023-38486 — Incorrect Authorization in Arubaos

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

6.4MEDIUMNVD

CNA7.7

EPSS

0.0%

top 97.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arubanetworks Arubaos

Timeline

PublishedSep 6

Description

A vulnerability in the secure boot implementation on affected Aruba 9200 and 9000 Series Controllers and Gateways allows an attacker to bypass security controls which would normally prohibit unsigned kernel images from executing. An attacker can use this vulnerability to execute arbitrary runtime operating systems, including unverified and unsigned OS images.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.5 | Impact: 5.9

Affected Packages1 packages

▶NVDarubanetworks/arubaos8.6.0.0 — 8.6.0.22+3

🔴Vulnerability Details

CVEList

Hardware Root of Trust Bypass in 9200 and 9000 Series Controllers and Gateways↗2023-09-06

▶

GHSA

GHSA-95xr-xpj5-h4g4: A vulnerability in the secure boot implementation on affected Aruba 9200 and 9000 Series Controllers and Gateways allows an attacker to bypass securit↗2023-09-06

▶