HPE Aruba Networking has identified two critical vulnerabilities, CVE-2023-38401 and CVE-2023-38402, affecting their Virtual Intranet Access (VIA) client designed for Microsoft Windows. In the event of a successful exploit, an attacker gains the ability to overwrite files without authorization.
HPE Aruba Networking has taken immediate action to mitigate these high-severity vulnerabilities by releasing an update. Unfortunately, there are no viable workarounds to address these issues.
It’s important to note that versions of the Networking Virtual Intranet Access (VIA) client that have reached the End of Maintenance (EoM) milestone will remain unpatched.
Here are the specifics of the vulnerabilities:
CVE-2023-38401 – Local Privilege Escalation This vulnerability, identified as CVE-2023-38401, carries a high severity score of 7.8. It affects the HPE Aruba Networking Virtual Intranet Access (VIA) client, potentially enabling local users to elevate their privileges. The flaw was discovered and reported by Will Dormann (@wdormann) through Networking’s Bug Bounty Program. Aruba Networks warns that successful exploitation could grant the attacker the ability to execute arbitrary code with NT AUTHORITY\SYSTEM privileges on the operating system.
CVE-2023-38402 – Arbitrary File Overwrite Known as CVE-2023-38402, this vulnerability holds a high severity score of 7.1. It pertains to the Networking Virtual Intranet Access (VIA) client and may permit malicious users to overwrite arbitrary files as the NT AUTHORITY SYSTEM. Gee-netics discovered and reported this flaw through the HPE Aruba Networking Bug Bounty Program. A successful exploit could result in these malicious users causing a Denial-of-Service (DoS) condition, impacting the boot process of the Microsoft Windows Operating System.
Affected Products These vulnerabilities impact Networking Virtual Intranet Access (VIA) clients running the following versions:
- HPE Aruba Networking Virtual Intranet Access (VIA) client for Microsoft Windows:
- Versions 4.5.0 and below.
Other operating systems running HPE Aruba Networking Virtual Intranet Access (VIA) are not affected by these flaws.
Available Fix To address these vulnerabilities, it is imperative that users of HPE Aruba Networking Virtual Intranet Access (VIA) for Microsoft Windows update to version 4.6.0 or a higher version as soon as possible. This update will help mitigate the risks associated with these vulnerabilities and ensure the security of your system.