- 193/2023
- High
Aruba has released a security update to fix several vulnerabilities in HPE Aruba Networking Virtual Intranet Access (VIA) client for Microsoft Windows version 4.5.0 and below.
The addressed vulnerabilities could allow the attacker to gain elevated privileges and execute arbitrary code with NT AUTHORITY\SYSTEM privileges on the operating system, or perform a denial of service attack on the vulnerable system.
The addressed vulnerabilities:
1. HPE Aruba Networking Virtual Intranet Access (VIA) Local Privilege Escalation Vulnerability (CVE-2023-38401):
- CVSS: 7.8
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
2. HPE Aruba Networking Virtual Intranet Access (VIA) Arbitrary File Overwrite Vulnerability (CVE-2023-38402):
- CVSS: 7.1
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Denial of Service
Vulnerabilities
- CVE-2023-38401
- CVE-2023-38402
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.