On Tuesday, October 11th, 2022, Aruba disclosed three critical vulnerabilities impacting EdgeConnect Enterprise Orchestrator. The vulnerabilities, CVE-2022-37913, CVE-2022-37914, CVE-2022-37915, are remote code execution and authentication bypass vulnerabilities that could enable remote threat actors to compromise a host. In order for a threat actor to exploit these vulnerabilities, WAN access would need to be available for the CLI and/or web-based management interfaces.
CVE-2022-37913 and CVE-2022-37914 (CVSS v3.1 9.8)
Authentication bypass vulnerability in the web-based management interface of EdgeConnect Orchestrator, allowing an unauthenticated, remote attacker to bypass authentication.
CVE-2022-37915 (CVSS v3.1 9.8)
Vulnerability in the web-based management interface of EdgeConnect Orchestrator, allowing arbitrary command execution on the underlying host and leading to complete system compromise.
Affected Products:
- EdgeConnect Enterprise Orchestrator (on-premises)
- EdgeConnect Enterprise Orchestrator-as-a-Service
- EdgeConnect Enterprise Orchestrator-SP and EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators
- Orchestrator 9.1.2.40051 and below
- Orchestrator 9.0.7.40108 and below
- Orchestrator 8.10.23.40009 and below
Arctic Wolf has not observed public proof of concept (PoC) exploit code being published for this vulnerability. Aruba claims that they have not detected active exploitation of these vulnerabilities or PoC exploit code being available either. EdgeConnect devices are usually deployed in valuable environments, which would be attractive for threat actors to target and attempt to create exploits for these vulnerabilities in the near future. We strongly recommend applying the relevant security patches to impacted devices to remediate the vulnerability and prevent potential exploitation.
Recommendations
Arctic Wolf strongly recommends applying the security patches provided by Aruba. For organizations who are not able to apply the patch immediately, Aruba has also provided a workaround to limit access to the CLI and web-based management interfaces. For organizations who are running older versions that are no longer supported, Aruba recommends upgrading to a newer product release as soon as possible.
Recommendation #1: Upgrade EdgeConnect to a Fixed Version
Upgrade Aruba EdgeConnect Enterprise Orchestrator to one of the following versions with the fixes to resolve all issues noted in the details section.
- Aruba EdgeConnect Enterprise Orchestrator (on-premises)
- Orchestrator 9.2.0.40405 and above
- Orchestrator 9.1.3.40197 and above
- Orchestrator 9.0.7.40110 and above
- Orchestrator 8.10.23.40015 and above
- Aruba EdgeConnect Enterprise Orchestrator-as-a-Service
- TAC will automatically create a support case for Aruba
(Silver Peak) hosted Orchestrators to be upgraded.
- TAC will automatically create a support case for Aruba
- Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators
- Service providers must upgrade all tenants to a patched version listed above
NOTE: Aruba does not evaluate or patch product versions that have reached their End of Support (EoS) milestone.
Recommendation #2: Limit Access to CLI and Web-Based Management Interfaces
To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.
References
- Aruba Security Advisory – https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt
