CVE-2024-42395 — Out-of-bounds Write in Arubaos

CWE-787 — Out-of-bounds Write CWE-295 — Improper Certificate Validation3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 49.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arubanetworks Arubaos HP Instantos Hewlett Packard Enterprise HPE Aruba Networking Instantos AND Aruba Access Points Running Arubaos 10

Timeline

PublishedAug 6

Description

There is a vulnerability in the AP Certificate Management Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDhp/instantos6.4.0.0 — 8.10.0.13+1

▶NVDarubanetworks/arubaos10.3.0.0 — 10.4.1.4+1

▶CVEListV5hewlett_packard_enterprise/hpe_aruba_networking_instantos_and_aruba_access_points_running_arubaos_10Version 8.12.0.0: 8.12.0.1 and below — <=8.12.0.1+1

🔴Vulnerability Details

GHSA

GHSA-m578-pv52-h53w: There is a vulnerability in the AP Certificate Management Service which could allow a threat actor to execute an unauthenticated RCE attack↗2024-08-06

▶

CVEList

Unauthenticated Stack-Based Buffer Overflow Remote Command Execution (RCE) in the AP Certificate Management Service Accessed by the PAPI Protocol↗2024-08-06

▶