External risk intelligence

Array Networks SSL VPN Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2023-28461

A vulnerability in Array Networks SSL VPN gateways allows unauthenticated attackers to execute code by browsing the filesystem. This impacts organizations using affected devices, creating business risk through potential system compromise and data exposure.

5Halo Surface Signal

Authentication Bypass

Arraynetworks Arrayos Ag

9.4.0.481 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2023-28461

The affected product is an SSL VPN gateway. VPN gateways are intentionally deployed as internet-facing edge devices to facilitate remote access, making them publicly exposed by design in normal use.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Array Networks SSL VPN gateways are affected by a vulnerability that allows unauthorized access to system files and the execution of malicious code. This could enable attackers to compromise the gateway's integrity and potentially impact network security. The flaw is present in Array AG Series and vxAG devices.

  • Vulnerable SSL VPN gateways
  • Flaw allows unauthorized code execution
  • Business risk to system integrity

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit a vulnerability in the SSL VPN gateway to gain unauthorized access. This is achieved by browsing the system's filesystem via a specially crafted HTTP header. Successful exploitation allows the attacker to execute code on the gateway, potentially leading to a compromise of the protected network.

  • Publicly accessible SSL VPN gateway.
  • Attacker sends malicious HTTP header.
  • Attacker gains code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows remote code execution on SSL VPN gateways. Attackers can exploit a flaw in the product by browsing the filesystem without authentication. The potential for unauthorized access to sensitive data and system compromise presents a significant business risk.

  • Low attacker skill level.
  • Unauthenticated network access required.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Array Networks SSL VPN gateways could allow unauthenticated remote attackers to execute code. The flaw permits browsing of the filesystem via a crafted HTTP header, potentially leading to unauthorized system access. This poses a significant business risk, impacting the confidentiality, integrity, and availability of data and systems.

  • Identify exposed SSL VPN gateways.
  • Restrict network access to these systems.
  • Apply vendor updates and confirm their effectiveness.

Frequently asked questions

What is the primary security flaw in Array Networks SSL VPN gateways?

Array Networks AG Series and vxAG devices (versions 9.4.0.481 and earlier) have a critical vulnerability allowing remote code execution. An unauthenticated attacker can exploit this by sending a crafted HTTP header to browse the filesystem and then exploit a vulnerable URL to execute code on the SSL VPN gateway. This weakness is classified under CWE-287 and CWE-306, relating to authentication and improper access control.

How does an attacker exploit the Array Networks SSL VPN vulnerability?

Exploitation involves an attacker sending a specially crafted HTTP header with a flags attribute to the SSL VPN gateway. This header allows the attacker to bypass authentication and browse the device's filesystem. Following this, a vulnerable URL can be used to achieve remote code execution on the compromised gateway.

What is the business impact of the Array Networks SSL VPN vulnerability?

The vulnerability poses a high business risk due to the potential for remote code execution on internet-facing SSL VPN gateways. Successful exploitation can lead to a compromise of the gateway's integrity, unauthorized access to sensitive data, and potential disruption of network services, impacting confidentiality, integrity, and availability.

What is the relevance of CVE-2023-28461 according to the Halo Surface Signal?

The Halo Surface Signal indicates a 'Very likely' threat for CVE-2023-28461. This is because the affected product, an SSL VPN gateway, is designed to be internet-facing for remote access, making it publicly exposed by default during normal operation.

What steps should be taken to address the Array Networks SSL VPN vulnerability?

Organizations should first identify any exposed Array Networks SSL VPN gateways. It is recommended to restrict network access to these systems. Applying vendor-provided updates is crucial, and confirming the effectiveness of these updates is essential to mitigate the risk of exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified