Aruba Released Patches for EdgeConnect’s Critical Vulnerabilities
Aruba released security updates to fix several critical vulnerabilities. The vulnerabilities were found in its popular WAN management tool, EdgeConnect Enterprise Orchestrator. Successful exploitation could let a remote attacker access systems and execute commands.
Affected products:
- EdgeConnect Enterprise Orchestrator (on-premises)
- EdgeConnect Enterprise Orchestrator-as-a-Service
- EdgeConnect Enterprise Orchestrator-SP and EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators
- Orchestrator 9.1.2.40051 and below
- Orchestrator 9.0.7.40108 and below
- Orchestrator 8.10.23.40009 and below
Aruba’s EdgeConnect Orchestrator provides enterprise users with optimization, administration, automation, and monitoring features. Thus, the vulnerabilities it contains can easily endanger systems and networks.
About Vulnerabilities
The patch provided by Aruba fixes the vulnerabilities tracked as CVE-2022-37913, CVE-2022-37914, and CVE-2022-37915, which all have CVSS scores of 9.8. The flaws were found in the products’ web-based management interface.
CVE-2022-37913 and CVE-2022-37914 are authentication bypass vulnerabilities. They might enable a remote, unauthenticated attacker to get past authentication and eventually take control of the system by gaining administrative privileges.
The flaw CVE-2022-37915 could enable an unauthenticated attacker to execute codes remotely on the underlying host and compromise the system.
Workaround Available
Aruba advises that the CLI and web-based management interfaces be limited to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above to reduce the possibility of an attacker exploiting these vulnerabilities.
As of right now, Aruba has not observed any talks or proof-of-concept exploits that target their vulnerabilities or identified active exploitation.
However, given the seriousness of the issues and the widespread use of EdgeConnect in important environments, it is reasonable to expect attackers to try to develop exploits for the flaws.
Aruba Released Patches
These are the versions that fix the severe security vulnerabilities:
- Aruba EdgeConnect Enterprise Orchestrator 9.2.0.40405 and above
- Aruba EdgeConnect Enterprise Orchestrator 9.1.3.40197 and above
- Aruba EdgeConnect Enterprise Orchestrator 9.0.7.40110 and above
- Aruba EdgeConnect Enterprise Orchestrator 8.10.23.40015 and above
The vendor doesn’t support older versions; therefore, they won’t get a security upgrade for the vulnerabilities mentioned above. It is suggested that customers of previous versions upgrade to a newer product release as soon as possible.