CVE-2022-37904 - OpenCVE

Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Arubanetworks	7005 7008 7010 7024 7030 7205 7210 7220 7240xm 7280 Arubaos Sd-wan

Configuration 1 [-]

AND

OR	cpe:2.3:a:arubanetworks:sd-wan::::::::
	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:arubanetworks:arubaos:10.3.0.0:::::::*

OR	cpe:2.3:h:arubanetworks:7005:-:::::::*
	cpe:2.3:h:arubanetworks:7008:-:::::::*
	cpe:2.3:h:arubanetworks:7010:-:::::::*
	cpe:2.3:h:arubanetworks:7024:-:::::::*
	cpe:2.3:h:arubanetworks:7030:-:::::::*
	cpe:2.3:h:arubanetworks:7205:-:::::::*
	cpe:2.3:h:arubanetworks:7210:-:::::::*
	cpe:2.3:h:arubanetworks:7220:-:::::::*
	cpe:2.3:h:arubanetworks:7240xm:-:::::::*
	cpe:2.3:h:arubanetworks:7280:-:::::::*

No data.

References

Link	Providers
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt

History

No history.

MITRE

Status: PUBLISHED

Assigner: hpe

Published: 2022-11-03T19:13:52.272Z

Updated: 2024-08-03T10:37:41.950Z

Reserved: 2022-08-08T18:45:22.551Z

Link: CVE-2022-37904

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-12T13:15:12.923

Modified: 2023-11-07T03:49:54.737

Link: CVE-2022-37904

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-37904", "assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "state": "PUBLISHED", "assignerShortName": "hpe", "requesterUserId": "6707ad87-4508-4473-b324-feac48da5e14", "dateReserved": "2022-08-08T18:45:22.551Z", "datePublished": "2022-11-03T19:13:52.272Z", "dateUpdated": "2024-08-03T10:37:41.950Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central", "vendor": "Hewlett Packard Enterprise", "versions": [{"status": "unaffected", "version": "ArubaOS 6.5.4.x: 6.5.4.23 and above; ArubaOS 8.6.x: 8.6.0.18 and above; ArubaOS 8.7.x: 8.7.1.10 and above; ArubaOS 8.10.x: 8.10.0.0 and above; ArubaOS 10.3.x: 10.3.0.1 and above; SD-WAN-2.3.0.x: 8.7.0.0-2.3.0.7 and above"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.</p>"}], "value": "Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe", "dateUpdated": "2022-12-12T12:11:04.548862Z"}, "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "cveClient/1.0.13"}, "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:37:41.950Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CF50C4E-038A-4120-BF86-05DF607C59CB", "versionEndExcluding": "8.7.0.0-2.3.0.6", "versionStartIncluding": "8.7.0.0-2.3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "matchCriteriaId": "49CE5580-518E-4CC8-894A-A78F476D6EC7", "versionEndExcluding": "6.5.4.22", "versionStartIncluding": "6.5.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "matchCriteriaId": "58A7807B-5AD1-4CE1-8974-772067778D97", "versionEndExcluding": "8.6.0.17", "versionStartIncluding": "8.4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "matchCriteriaId": "F077A2FC-EE0D-4D8F-A5E1-A1BE3285EFDD", "versionEndExcluding": "8.7.1.9", "versionStartIncluding": "8.7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "matchCriteriaId": "16FA1F06-8C2E-4DB6-AE03-48B49ABD967E", "versionEndIncluding": "8.9.03", "versionStartIncluding": "8.8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:arubanetworks:arubaos:10.3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "84A36EB0-A525-4B05-B9CE-A31145A7157C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:arubanetworks:7005:-:*:*:*:*:*:*:*", "matchCriteriaId": "FE128072-9444-40D5-AC86-BB317869EB97", "vulnerable": false}, {"criteria": "cpe:2.3:h:arubanetworks:7008:-:*:*:*:*:*:*:*", "matchCriteriaId": "F747F71E-66BC-4776-BCCC-3123F8EEEBC6", "vulnerable": false}, {"criteria": "cpe:2.3:h:arubanetworks:7010:-:*:*:*:*:*:*:*", "matchCriteriaId": "59612211-5054-44DC-B028-61A2C5C6133D", "vulnerable": false}, {"criteria": "cpe:2.3:h:arubanetworks:7024:-:*:*:*:*:*:*:*", "matchCriteriaId": "15FE873C-3C45-4EA3-9AD1-D07F132BC31F", "vulnerable": false}, {"criteria": "cpe:2.3:h:arubanetworks:7030:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8E68DB6-149B-4469-BD27-69F1AC59166F", "vulnerable": false}, {"criteria": "cpe:2.3:h:arubanetworks:7205:-:*:*:*:*:*:*:*", "matchCriteriaId": "2E9AA178-1327-402E-8740-8409ECA448BC", "vulnerable": false}, {"criteria": "cpe:2.3:h:arubanetworks:7210:-:*:*:*:*:*:*:*", "matchCriteriaId": "9969F899-4D7A-4DD5-B81D-DB16B20CF86A", "vulnerable": false}, {"criteria": "cpe:2.3:h:arubanetworks:7220:-:*:*:*:*:*:*:*", "matchCriteriaId": "CF33BAD0-0596-4910-B096-99E2033F73D8", "vulnerable": false}, {"criteria": "cpe:2.3:h:arubanetworks:7240xm:-:*:*:*:*:*:*:*", "matchCriteriaId": "FDDFDA5E-3895-463A-86EA-1823EC1B5045", "vulnerable": false}, {"criteria": "cpe:2.3:h:arubanetworks:7280:-:*:*:*:*:*:*:*", "matchCriteriaId": "3BBA9A71-BE10-471A-A8BE-5CCB8CE8393F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.\n\n"}, {"lang": "es", "value": "Existen vulnerabilidades en ArubaOS que se ejecutan en controladores de la serie 7xxx que permiten a un atacante ejecutar c\u00f3digo arbitrario durante la secuencia de inicio. La explotaci\u00f3n exitosa podr\u00eda permitir a un atacante lograr una modificaci\u00f3n permanente del sistema operativo subyacente."}], "id": "CVE-2022-37904", "lastModified": "2023-11-07T03:49:54.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "security-alert@hpe.com", "type": "Secondary"}]}, "published": "2022-12-12T13:15:12.923", "references": [{"source": "security-alert@hpe.com", "tags": ["Vendor Advisory"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}