Aruba released security updates to fix several critical vulnerabilities. The vulnerabilities were found in its popular WAN management tool, EdgeConnect Enterprise Orchestrator. Successful exploitation could let a remote attacker access systems and execute commands.
- EdgeConnect Enterprise Orchestrator (on-premises)
- EdgeConnect Enterprise Orchestrator-as-a-Service
- EdgeConnect Enterprise Orchestrator-SP and EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators
- Orchestrator 188.8.131.52051 and below
- Orchestrator 184.108.40.206108 and below
- Orchestrator 220.127.116.11009 and below
Aruba’s EdgeConnect Orchestrator provides enterprise users with optimization, administration, automation, and monitoring features. Thus, the vulnerabilities it contains can easily endanger systems and networks.
The patch provided by Aruba fixes the vulnerabilities tracked as CVE-2022-37913, CVE-2022-37914, and CVE-2022-37915, which all have CVSS scores of 9.8. The flaws were found in the products’ web-based management interface.
CVE-2022-37913 and CVE-2022-37914 are authentication bypass vulnerabilities. They might enable a remote, unauthenticated attacker to get past authentication and eventually take control of the system by gaining administrative privileges.
The flaw CVE-2022-37915 could enable an unauthenticated attacker to execute codes remotely on the underlying host and compromise the system.
Aruba advises that the CLI and web-based management interfaces be limited to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above to reduce the possibility of an attacker exploiting these vulnerabilities.
As of right now, Aruba has not observed any talks or proof-of-concept exploits that target their vulnerabilities or identified active exploitation.
However, given the seriousness of the issues and the widespread use of EdgeConnect in important environments, it is reasonable to expect attackers to try to develop exploits for the flaws.
Aruba Released Patches
These are the versions that fix the severe security vulnerabilities:
- Aruba EdgeConnect Enterprise Orchestrator 18.104.22.168405 and above
- Aruba EdgeConnect Enterprise Orchestrator 22.214.171.124197 and above
- Aruba EdgeConnect Enterprise Orchestrator 126.96.36.199110 and above
- Aruba EdgeConnect Enterprise Orchestrator 188.8.131.52015 and above
The vendor doesn’t support older versions; therefore, they won’t get a security upgrade for the vulnerabilities mentioned above. It is suggested that customers of previous versions upgrade to a newer product release as soon as possible.