CRITICAL🇵🇱 Wersja polska

CVE-2024-42395

CVSS 9.8v3.1pub. 2024-08-06upd. 2024-08-12

There is a vulnerability in the AP Certificate Management Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

🤖 AI Analysis
How it works

The vulnerability results from a buffer overflow error (CWE-787) and improper certificate verification (CWE-295) in the AP Certificate Management Service. An attacker can remotely, without requiring any privileges or user interaction, send a specially crafted request to the vulnerable service. Exploitation enables execution of arbitrary system commands at the device's operating system level.

Impact

An attacker can gain full control over the device by executing arbitrary commands at the operating system level, leading to complete system compromise — including data theft, network configuration modification, and use of the device as an entry point for further attacks.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with the references — HPE Security Bulletin available at: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04678en_us&docLocale=en_US

Who is affected

ArubaNetworks ArubaOS and HPE InstantOS products — specific versions indicated in the manufacturer's references (HPE Security Bulletin hpesbnw04678en_us)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Arubanetworks Arubaos

    OS
    Arubanetworks
    10.3.0.0 – 10.4.1.4 (bez)10.5.0.0 – 10.6.0.1 (bez)
  • HP Instantos

    OS
    Hp
    6.4.0.0 – 8.10.0.13 (bez)8.12.0.0 – 8.12.0.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-42394CRITICAL9.8PL ✓ten sam produkt

RCE w Soft AP Daemon Service — ArubaOS i InstantOS (KRYTYCZNY)

CVE-2024-42393CRITICAL9.8PL ✓ten sam produkt

RCE w Soft AP Daemon Service — ArubaOS i InstantOS

CVE-2024-31469CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w usłudze Central Communications Aruba – nieuwierzytelnione RCE

CVE-2024-31467CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w CLI service ArubaOS/InstantOS umożliwiający zdalny RCE

CVE-2024-31466CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w CLI service ArubaOS/InstantOS — nieuwierzytelniony RCE