CVE-2024-42393 — Out-of-bounds Write in Arubaos

CWE-787 — Out-of-bounds Write CWE-94 — Code Injection3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.5%

top 35.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arubanetworks Arubaos HP Instantos Hewlett Packard Enterprise HPE Aruba Networking Instantos AND Aruba Access Points Running Arubaos 10

Timeline

PublishedAug 6

Description

There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDhp/instantos6.4.0.0 — 8.10.0.13+1

▶NVDarubanetworks/arubaos10.3.0.0 — 10.4.1.4+1

▶CVEListV5hewlett_packard_enterprise/hpe_aruba_networking_instantos_and_aruba_access_points_running_arubaos_10Version 8.12.0.0: 8.12.0.1 and below — <=8.12.0.1+1

🔴Vulnerability Details

GHSA

GHSA-q6mf-h7m3-wffm: There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack↗2024-08-06

▶

CVEList

Unauthenticated Stack-Based Buffer Overflow Remote Command Execution (RCE) in the Soft AP Daemon Service Accessed by the PAPI Protocol↗2024-08-06

▶