CVE-2023-46272

CVE-2023-46272 is a buffer overflow vulnerability (CWE-121) in Extreme Networks IQ Engine, affecting versions before 10.6r1a and through 10.6r4 before 10.6r5. The issue exists in the implementation of the ah_auth service, which allows an attacker to execute arbitrary code. It carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An adjacent attacker (AV:A) can exploit this vulnerability with low attack complexity (AC:L) and no privileges (PR:N), requiring no user interaction (UI:N). Exploitation enables arbitrary code execution with high impacts on confidentiality, integrity, and availability within the unchanged security scope.

Advisories recommend mitigation by upgrading to Extreme Networks IQ Engine 10.6r1a or later for early branches, or to 10.6r5 for versions through 10.6r4, as outlined in the vendor security bulletin at https://extreme-networks.my.site.com/ExtrArticleDetail?an=000115355&q=CVE-2023-46272 and the Zero Day Initiative disclosure at https://www.zerodayinitiative.com/advisories/ZDI-23-1765/.