- 179/2023
- Critical
Aruba has released security updates to fix several vulnerabilities in multiple versions of Aruba Networks.
The addressed vulnerabilities could allow the remote attacker to cause a buffer overflow and execute arbitrary code on the affected systems by sending specially crafted packets to the PAPI UDP port (8211) or obtain sensitive information from the vulnerable product, caused by improper handling of ICMP requests in the kernel module.
Sample of the addressed vulnerabilities:
Aruba Networks ArubaOS and InstantOS Buffer Overflow (CVE-2023-35980):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
The affected products:
- ArubaOS 10.4.x.x: 10.4.0.1 and below.
- InstantOS 8.11.x.x: 8.11.1.0 and below.
- InstantOS 8.10.x.x: 8.10.0.6 and below.
- InstantOS 8.6.x.x: 8.6.0.20 and below.InstantOS 6.5.x.x: 6.5.4.24 and below.
- InstantOS 6.4.x.x: 6.4.4.8-4.2.4.21 and below.
Vulnerabilities
- CVE-2022-25667
- CVE-2023-35980
- CVE-2023-35981
- CVE-2023-35982
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.