CRITICAL🇵🇱 Wersja polska

CVE-2024-42393

CVSS 9.8v3.1pub. 2024-08-06upd. 2024-08-12

There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

🤖 AI Analysis
How it works

The vulnerability stems from out-of-bounds write errors (CWE-787) and improper neutralization of control elements in code (CWE-94) within the Soft AP Daemon Service. An attacker can send a specially crafted network request without requiring authentication, allowing injection and execution of arbitrary commands at the operating system level. The attack vector is network-based and requires no privileges or user interaction.

Impact

An attacker can execute arbitrary commands on the device's operating system, leading to complete system compromise — loss of confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the manufacturer according to the references — detailed information about versions containing fixes is available at: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

Who is affected

ArubaOS and HP InstantOS products — specific versions indicated in the manufacturer's references (HPE Security Bulletin hpesbnw04678en_us)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Arubanetworks Arubaos

    OS
    Arubanetworks
    10.3.0.0 – 10.4.1.4 (bez)10.5.0.0 – 10.6.0.1 (bez)
  • HP Instantos

    OS
    Hp
    6.4.0.0 – 8.10.0.13 (bez)8.12.0.0 – 8.12.0.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-42395CRITICAL9.8PL ✓ten sam produkt

RCE bez uwierzytelnienia w AP Certificate Management Service (ArubaOS/InstantOS)

CVE-2024-42394CRITICAL9.8PL ✓ten sam produkt

RCE w Soft AP Daemon Service — ArubaOS i InstantOS (KRYTYCZNY)

CVE-2024-31469CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w usłudze Central Communications Aruba – nieuwierzytelnione RCE

CVE-2024-31467CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w CLI service ArubaOS/InstantOS umożliwiający zdalny RCE

CVE-2024-31466CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w CLI service ArubaOS/InstantOS — nieuwierzytelniony RCE