Detections
Analytics

ArubaOS 10.3.x < 10.3.1.1 Multiple Vulnerabilities (ARUBA-PSA-2023-006)

high Nessus Plugin ID 175413

Language:

Synopsis

An application installed on the remote host is affected by multiple vulnerabilities.

Description

The version of ArubaOS installed on the remote host is affected by multiple vulnerabilities:

 - An unauthenticated Denial of Service (DoS) vulnerability exists in a service accessed via the PAPI protocol provided by Aruba InstantOS and ArubaOS 10. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected access point. (CVE-2023-22787)

 - Multiple authenticated command injection vulnerabilities exist in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of these vulnerabilities can result in the ability to execute arbitrary commands as a privileged user on the underlying operating system. (CVE-2023-22788, CVE-2023-22789, CVE-2023-22790)

 - A vulnerability exists in Aruba InstantOS and ArubaOS 10 where an edge-case combination of network configuration, a specific WLAN environment and an attacker already possessing valid user credentials on that WLAN can lead to sensitive information being disclosed via the WLAN. The scenarios in which this disclosure of potentially sensitive information can occur are complex and depend on factors that are beyond the control of the attacker. (CVE-2023-22791)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to the ArubaOS version mentioned in the vendor advisory.

See Also

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt

Plugin Details

Severity: High

ID: 175413

File Name: arubaos-10-3-1-aruba-psa-2023-006.nasl

Version: 1.3

Type: combined

Family: Misc.

Published: 5/12/2023

Updated: 11/17/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-22790

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:arubanetworks:arubaos, cpe:/o:hp:arubaos

Required KB Items: installed_sw/ArubaOS

Exploit Ease: No known exploits are available

Patch Publication Date: 5/9/2023

Vulnerability Publication Date: 5/9/2023

Reference Information

CVE: CVE-2023-22787, CVE-2023-22788, CVE-2023-22789, CVE-2023-22790, CVE-2023-22791

IAVA: 2023-A-0252-S