Headline
CVE-2023-35803: SA-2023-067 - IQ Engine acsd service buffer overflow (CVE-2023-35803)
IQ Engine before 10.6r2 on Extreme Network AP devices has a Buffer Overflow.
Summary
A buffer overflow vulnerability in the implementation of the acsd service on IQ Engine may be exploited to obtain elevated privileges to conduct remote code execution.
Extreme Networks acknowledges and thanks Lachlan Davidson from Aura Information Security for reporting this vulnerability to Extreme under coordinated vulnerability disclosure protocols.
Products not listed in the Products Potentially Affected section have not been evaluated. Furthermore, products that have exceeded any software maintenance time periods are also not evaluated and will not be published. Please consult End of Sale and End of Service Life - Extreme Networks for the EOL notices related to the product under question.
Products Potentially Affected
OS/Product
Exposure
IQ Engine (HiveOS)
Yes
Repair Recommendations
IQ Engine(HiveOS):
Fixed in 10.6r2 or later:
- AP302W
- AP305C/CX
- AP305C-1
- AP410C
- AP410C-1
- AP460C
- AP460S6C
- AP460S12C
- AP510C/CX
- AP630
- AP650
- AP650X
- AP3000
- AP3000X
- AP4000
- AP4000-1
- AP5010
- AP5050D
- AP5050U
Fixed in 10.6r5 (Target GA: October 2023) or later:
AP models receiving patches in 10.6r5 are in End of Software Maintenance phase.
Customers are strongly encouraged to upgrade to currently supported AP models.
- AP30
- AP122
- AP130
- AP150W
- AP250
- AP550
- AP1130
Please see the full security advisory article here for more details and updates.