A vulnerability was found in Aruba ArubaOS 8.10.0.11/8.11.2.2/10.4.1.1/10.5.1.1. It has been rated as very critical. Affected by this issue is some unknown functionality of the component L2-L3 Management Service. The manipulation with an unknown input leads to a buffer overflow vulnerability. Using CWE to declare the problem leads to CWE-120. The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow. Impacted is confidentiality, integrity, and availability. CVE summarizes:

There is a buffer overflow vulnerability in the underlying L2/L3 Management service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

The advisory is available at arubanetworks.com. This vulnerability is handled as CVE-2024-26304 since 02/16/2024. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 05/01/2024).

Upgrading eliminates this vulnerability.

The entries VDB-262751, VDB-262752, VDB-262753 and VDB-262769 are related to this item.

Productinfo

Vendor

• Aruba

Name

• ArubaOS

Version

• 8.10.0.11
• 8.11.2.2
• 10.4.1.1
• 10.5.1.1

License

• commercial

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion