Multiple privilege escalation vulnerabilities in ArubaOS
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-37722 CVE-2021-37721 CVE-2021-37720 CVE-2020-37719 |
| CWE-ID | CWE-78 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
ArubaOS Operating systems & Components / Operating system |
| Vendor | Aruba Networks |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) OS Command Injection
EUVDB-ID: #VU56287
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-37722
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the command line interface. A local authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsArubaOS: 6.4.2.1 - 8.7.1.3
CPE2.3- cpe:2.3:o:aruba_networks:arubaos:6.4.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:aruba_networks:arubaos:6.4.2.3:*:*:*:*:*:*:*
- cpe:2.3:o:aruba_networks:arubaos:6.4.2.4:*:*:*:*:*:*:*
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) OS Command Injection
EUVDB-ID: #VU56286
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-37721
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the command line interface. A local authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsArubaOS: 6.4.2.1 - 8.7.1.3
CPE2.3- cpe:2.3:o:aruba_networks:arubaos:6.4.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:aruba_networks:arubaos:6.4.2.3:*:*:*:*:*:*:*
- cpe:2.3:o:aruba_networks:arubaos:6.4.2.4:*:*:*:*:*:*:*
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) OS Command Injection
EUVDB-ID: #VU56285
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-37720
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the command line interface. A local authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsArubaOS: 6.4.2.1 - 8.7.1.3
CPE2.3- cpe:2.3:o:aruba_networks:arubaos:6.4.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:aruba_networks:arubaos:6.4.2.3:*:*:*:*:*:*:*
- cpe:2.3:o:aruba_networks:arubaos:6.4.2.4:*:*:*:*:*:*:*
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) OS Command Injection
EUVDB-ID: #VU56284
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-37719
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the command line interface. A local authenticated user can pass specially crafted data to the application and execute arbitrary OS commands on the target system with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsArubaOS: 6.4.2.1 - 8.7.1.3
CPE2.3- cpe:2.3:o:aruba_networks:arubaos:6.4.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:aruba_networks:arubaos:6.4.2.3:*:*:*:*:*:*:*
- cpe:2.3:o:aruba_networks:arubaos:6.4.2.4:*:*:*:*:*:*:*
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
