Lucene search

[email protected]CVE-2023-37426

HistoryAug 22, 2023 - 7:16 p.m.

CVE-2023-37426

2023-08-2219:16:37

CWE-798

[email protected]

web.nvd.nist.gov

cve-2023-37426

edgeconnect

sd-wan

orchestrator

ssh

vulnerability

masquerade

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.4%

JSON

EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared static SSH host keys for all installations. This vulnerability could allow an attacker to spoof the SSH host signature and thereby masquerade as a legitimate Orchestrator
host.

Affected configurations

NVD

Node

arubanetworksedgeconnect_sd-wan_orchestratorRange9.0.0–9.0.5

arubanetworksedgeconnect_sd-wan_orchestratorRange9.1.0–9.1.7

arubanetworksedgeconnect_sd-wan_orchestratorRange9.2.0–9.2.5

arubanetworksedgeconnect_sd-wan_orchestratorMatch9.3.0

CPENameOperatorVersion
arubanetworks:edgeconnect_sd-wan_orchestratorarubanetworks edgeconnect sd-wan orchestratorle9.0.5
arubanetworks:edgeconnect_sd-wan_orchestratorarubanetworks edgeconnect sd-wan orchestratorle9.1.7
arubanetworks:edgeconnect_sd-wan_orchestratorarubanetworks edgeconnect sd-wan orchestratorle9.2.5
arubanetworks:edgeconnect_sd-wan_orchestratorarubanetworks edgeconnect sd-wan orchestratoreq9.3.0

CPE	Name	Operator	Version
arubanetworks:edgeconnect_sd-wan_orchestrator	arubanetworks edgeconnect sd-wan orchestrator	le	9.0.5
arubanetworks:edgeconnect_sd-wan_orchestrator	arubanetworks edgeconnect sd-wan orchestrator	le	9.1.7
arubanetworks:edgeconnect_sd-wan_orchestrator	arubanetworks edgeconnect sd-wan orchestrator	le	9.2.5
arubanetworks:edgeconnect_sd-wan_orchestrator	arubanetworks edgeconnect sd-wan orchestrator	eq	9.3.0

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "EdgeConnect SD-WAN Orchestrator",
    "vendor": "Hewlett Packard Enterprise (HPE)",
    "versions": [
      {
        "lessThanOrEqual": "<=9.3.0",
        "status": "affected",
        "version": "Orchestrator 9.3.x",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "<=9.2.5",
        "status": "affected",
        "version": "Orchestrator 9.2.x",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "<=9.1.7",
        "status": "affected",
        "version": "Orchestrator 9.1.x",
        "versionType": "semver"
      }
    ]
  }
]

References

www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.4 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.4%

JSON

Related for CVE-2023-37426

prion1 nvd1 cvelist1