CVE-2022-23677
Published: 10 May 2022
Summary
CVE-2022-23677 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Arubanetworks 5406R Firmware. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A remote arbitrary code execution vulnerability exists in ArubaOS-Switch software running on Aruba networking devices. The affected releases include all versions of 15.xx.xxxx, 16.01.xxxx, 16.03.xxxx through 16.07.xxxx, and builds at or below K.16.02.0033, KB/WB/WC/YA/YB/YC.16.08.0024, KB/WB/WC/YA/YB/YC.16.09.0019, KB/WB/WC/YA/YB/YC.16.10.0019, and KB/WB/WC/YA/YB/YC.16.11.0003. The flaw is tracked as CWE-787 and carries a CVSS 3.1 score of 8.1.
An unauthenticated attacker may exploit the issue remotely over the network without user interaction. Although the attack complexity is rated high, successful exploitation can result in full control of the device, allowing arbitrary code execution that impacts confidentiality, integrity, and availability.
Aruba has published advisory ARUBA-PSA-2022-008 and released upgraded firmware versions that remediate the vulnerability for the listed ArubaOS-Switch releases. The current EPSS score of 0.0569 with a peak of 0.0649 does not indicate a material rise warranting renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-28616
Vulnerability details
A remote execution of arbitrary code vulnerability was discovered in ArubaOS-Switch Devices version(s): ArubaOS-Switch 15.xx.xxxx: All versions; ArubaOS-Switch 16.01.xxxx: All versions; ArubaOS-Switch 16.02.xxxx: K.16.02.0033 and below; ArubaOS-Switch 16.03.xxxx: All versions; ArubaOS-Switch 16.04.xxxx: All versions; ArubaOS-Switch 16.05.xxxx: All versions; ArubaOS-Switch 16.06.xxxx:…
more
All versions; ArubaOS-Switch 16.07.xxxx: All versions; ArubaOS-Switch 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0024 and below; ArubaOS-Switch 16.09.xxxx: KB/WB/WC/YA/YB/YC.16.09.0019 and below; ArubaOS-Switch 16.10.xxxx: KB/WB/WC/YA/YB/YC.16.10.0019 and below; ArubaOS-Switch 16.11.xxxx: KB/WB/WC/YA/YB/YC.16.11.0003 and below. Aruba has released upgrades for ArubaOS-Switch Devices that address these security vulnerabilities.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.