CRITICAL🇵🇱 Wersja polska

CVE-2024-42394

CVSS 9.8v3.1pub. 2024-08-06upd. 2024-08-12

There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

🤖 AI Analysis
How it works

The vulnerability includes two types of errors: out-of-bounds write (CWE-787) and information disclosure (CWE-200). An attacker can send specially crafted requests to the Soft AP Daemon Service without any authentication, leading to the execution of arbitrary commands in the context of the device's operating system. The attack vector is network-based, requires no user interaction or any privileges on the attacker's side.

Impact

Successful exploitation leads to complete takeover of the system — the attacker can execute arbitrary commands at the operating system level of the device, resulting in complete violation of confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the manufacturer according to the references — detailed information about versions that fix the vulnerability is provided in the HPE security bulletin: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

Who is affected

Aruba Networks products: ArubaOS and HP InstantOS — versions indicated in the manufacturer's references (HPE Security Bulletin HPESBNW04678).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Arubanetworks Arubaos

    OS
    Arubanetworks
    10.3.0.0 – 10.4.1.4 (bez)10.5.0.0 – 10.6.0.1 (bez)
  • HP Instantos

    OS
    Hp
    6.4.0.0 – 8.10.0.13 (bez)8.12.0.0 – 8.12.0.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-42395CRITICAL9.8PL ✓ten sam produkt

RCE bez uwierzytelnienia w AP Certificate Management Service (ArubaOS/InstantOS)

CVE-2024-42393CRITICAL9.8PL ✓ten sam produkt

RCE w Soft AP Daemon Service — ArubaOS i InstantOS

CVE-2024-31469CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w usłudze Central Communications Aruba – nieuwierzytelnione RCE

CVE-2024-31467CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w CLI service ArubaOS/InstantOS umożliwiający zdalny RCE

CVE-2024-31466CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w CLI service ArubaOS/InstantOS — nieuwierzytelniony RCE