#VU8916 SQL injection in ArubaOS

Cybersecurity Help s.r.o.

Published: 2017-10-24 | Updated: 2017-10-26

Vulnerability identifier: #VU8916

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: N/A

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ArubaOS
Operating systems & Components / Operating system

Vendor: Aruba Networks

Description
The vulnerability allows a remote administrative attacker to execute SQL commands on the target system.

The weakness exists due to improper validation of user-supplied input. A remote attacker with access to the management interface can supply a specially crafted parameter value and execute SQL commands to read or write arbitrary data.

Mitigation
The vulnerability is addressed in the following versions: 6.3.1.25, 6.4.4.16, 6.5.1.9, 6.5.3.3, 6.5.4.2, 8.1.0.4.

Vulnerable software versions

ArubaOS: 6.4.4.1 - 8.1.0.2

External links
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-006.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Aruba Network ArubaOS