7.5
HIGH
CVE-2022-47522
"Aruba Wi-Fi MAC Address Spoofing WEP Key Downgrade"
Description

The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target's MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (such as authentication frames or re-association frames) to remove the target's original security context. This behavior occurs because the specifications do not require an access point to purge its transmit queue before removing a client's pairwise encryption key.

INFO

Published Date :

April 15, 2023, 2:15 a.m.

Last Modified :

Sept. 7, 2023, 6:15 a.m.

Source :

[email protected]

Remotely Exploitable :

No

Impact Score :

5.9

Exploitability Score :

1.6
Public PoC/Exploit Available at Github

CVE-2022-47522 has a 2 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2022-47522 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Sonicwall tz670_firmware
2 Sonicwall tz570_firmware
3 Sonicwall tz570p_firmware
4 Sonicwall tz570w_firmware
5 Sonicwall tz470_firmware
6 Sonicwall tz470w_firmware
7 Sonicwall tz370_firmware
8 Sonicwall tz370w_firmware
9 Sonicwall tz270_firmware
10 Sonicwall tz270w_firmware
11 Sonicwall tz600_firmware
12 Sonicwall tz600p_firmware
13 Sonicwall tz500_firmware
14 Sonicwall tz500w_firmware
15 Sonicwall tz400_firmware
16 Sonicwall tz400w_firmware
17 Sonicwall tz350_firmware
18 Sonicwall tz350w_firmware
19 Sonicwall tz300_firmware
20 Sonicwall tz300p_firmware
21 Sonicwall tz300w_firmware
22 Sonicwall soho_250_firmware
23 Sonicwall soho_250w_firmware
24 Sonicwall sonicwave_231c_firmware
25 Sonicwall sonicwave_224w_firmware
26 Sonicwall sonicwave_432o_firmware
27 Sonicwall sonicwave_621_firmware
28 Sonicwall sonicwave_641_firmware
29 Sonicwall sonicwave_681_firmware
1 Ieee ieee_802.11
: Total Affected Vendor : 2 | Products : 30
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2022-47522.

URL Resource
https://papers.mathyvanhoef.com/usenix2023-wifi.pdf Exploit Technical Description Third Party Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0006 Third Party Advisory
https://www.freebsd.org/security/advisories/FreeBSD-SA-23:11.wifi.asc
https://www.wi-fi.org/discover-wi-fi/passpoint Not Applicable

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
domienschepers/wifi-framing

Repository for the Framing Frames publication: security context and transmit queue manipulations, client isolation bypasses, and more.

Shell Python

Updated: 2 months, 3 weeks ago
43 stars 2 fork 2 watcher
Born at : March 27, 2023, 2:10 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
vanhoefm/macstealer

None

Makefile Shell C Roff Perl Python PHP GDB C++ AIDL

Updated: 3 months ago
511 stars 49 fork 49 watcher
Born at : Dec. 13, 2022, 3:09 a.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2022-47522 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2022-47522 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    Sep. 07, 2023

    Action Type Old Value New Value
    Added Reference https://www.freebsd.org/security/advisories/FreeBSD-SA-23:11.wifi.asc [No Types Assigned]
  • Initial Analysis by [email protected]

    Apr. 28, 2023

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://papers.mathyvanhoef.com/usenix2023-wifi.pdf No Types Assigned https://papers.mathyvanhoef.com/usenix2023-wifi.pdf Exploit, Technical Description, Third Party Advisory
    Changed Reference Type https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0006 No Types Assigned https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0006 Third Party Advisory
    Changed Reference Type https://www.wi-fi.org/discover-wi-fi/passpoint No Types Assigned https://www.wi-fi.org/discover-wi-fi/passpoint Not Applicable
    Added CWE NIST CWE-290
    Added CPE Configuration OR *cpe:2.3:a:ieee:ieee_802.11:*:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz670_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz670:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz570_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz570:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz570p_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz570p:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz570w_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz570w:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz470_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz470:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz470w_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz470w:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz370_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz370:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz370w_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz370w:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz270_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz270:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz270w_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz270w:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz600_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz600:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz600p_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz600p:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz500_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz500:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz500w_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz500w:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz400_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz400:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz400w_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz400w:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz350_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz350:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz350w_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz350w:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz300_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz300:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz300p_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz300p:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:tz300w_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:tz300w:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:soho_250_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:soho_250:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:soho_250w_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:soho_250w:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:sonicwave_231c_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:sonicwave_231c:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:sonicwave_224w_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:sonicwave_224w:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:sonicwave_432o_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:sonicwave_432o:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:sonicwave_621_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:sonicwave_621:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:sonicwave_641_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:sonicwave_641:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:sonicwall:sonicwave_681_firmware:-:*:*:*:*:*:*:* OR cpe:2.3:h:sonicwall:sonicwave_681:-:*:*:*:*:*:*:*
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

0.12 }} 0.03%

score

0.47047

percentile

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: