Aruba has released security updates for the EdgeConnect Enterprise Orchestrator, addressing multiple critical severity vulnerabilities that enable remote attackers to compromise the host.
Aruba EdgeConnect Orchestrator is a widely used WAN management solution, offering enterprise users optimization, administration, automation, and real-time visibility and monitoring features.
Critical and easily exploitable flaws in this product introduce risks for systems and networks, so applying the available security updates should be a priority for administrators.
The vulnerabilities fixed in the latest Aruba patch are the following:
CVE-2022-37913 and CVE-2022-37914 (CVSS v3.1 – 9.8): Authentication bypass flaw in the web-based management interface of EdgeConnect Orchestrator, allowing an unauthenticated, remote attacker to bypass authentication.
Successful exploitation of this flaw leads to an attacker elevating their privileges to administrator without credentials, opening the path to complete host compromise.
CVE-2022-37915 (CVSS v3.1 – 9.8): Flaw in the web-based management interface of EdgeConnect Orchestrator, allowing arbitrary command execution on the underlying host and leading to complete system compromise.
The versions that address the severe security issues are the following:
Aruba EdgeConnect Enterprise Orchestrator 126.96.36.199405 and above
Aruba EdgeConnect Enterprise Orchestrator 188.8.131.52197 and above
Aruba EdgeConnect Enterprise Orchestrator 184.108.40.206110 and above
Aruba EdgeConnect Enterprise Orchestrator 220.127.116.11015 and above
Older versions aren’t supported by the vendor and will not receive a security update for the above vulnerabilities. Hence, users of older versions are advised to upgrade to a newer product release as soon as possible.
A workaround provided by the vendor in the security advisory is to restrict the product’s CLI and web-based management interfaces to a dedicated layer 2 segment/VLAN or set firewall policies to layer 3 and above.
Aruba has noted that, as of today, it has not detected active exploitation of the mentioned flaws and has seen no discussions or proof of concept exploits that target the vulnerabilities.
However, considering the criticality of the flaws and broad deployment of EdgeConnect in valuable environments, it’s safe to suggest that attackers will attempt to create exploits for the vulnerabilities.
Even without a PoC exploit to use in attacks, hackers commonly begin scans within minutes of the flaw disclosure to compile lists with exploitable targets for future use or selling.