Aruba fixes critical vulnerabilities in EdgeConnect Enterprise Orchestrator

Aruba addressed multiple critical severity vulnerabilities in the EdgeConnect Enterprise Orchestrator.

Aruba addressed multiple critical severity vulnerabilities in the EdgeConnect Enterprise Orchestrator that can be exploited by remote attackers to compromise the vulnerable host.

Aruba EdgeConnect Orchestrator is a centralized SD-WAN management solution that allows enterprises to control their WAN.

Below are the vulnerabilities addressed by Aruba:

CVE-2022-37913 and CVE-2022-37914 (CVSS v3.1 – 9.8) Authentication bypass vulnerabilities that resides in the web-based management interface of EdgeConnect Orchestrator. Threat actors can trigger the issue to bypass authentication.

“Vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to bypass authentication. Successful exploitation of these vulnerabilities could allow an attacker to gain administrative privileges leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host.” reads the advisory published by the vendor.

The company also addressed an unauthenticated Remote Code Execution issue in Aruba EdgeConnect Enterprise Orchestrator Web-Based Management Interface. The flaw, tracked as CVE-2022-37915 can be exploited to execute arbitrary commands on the underlying host, leading to complete system compromise.

The company addressed the issue with the release of the following versions:

Aruba EdgeConnect Enterprise Orchestrator 9.2.0.40405 and above
Aruba EdgeConnect Enterprise Orchestrator 9.1.3.40197 and above
Aruba EdgeConnect Enterprise Orchestrator 9.0.7.40110 and above
Aruba EdgeConnect Enterprise Orchestrator 8.10.23.40015 and above

Aruba will not release updates for versions that have reached End of Support (EoS). At the time of this report, the supported versions are:

Aruba EdgeConnect Enterprise Orchestrator 9.2.x
Aruba EdgeConnect Enterprise Orchestrator 9.1.x
Aruba EdgeConnect Enterprise Orchestrator 9.0.x
Aruba EdgeConnect Enterprise Orchestrator 8.10.x

To minimize the likelihood of exploitation for the above vulnerabilities, the vendor recommends to restrict the CLI and web-based management interfaces to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.

At the time of this publishing, the company is not aware of attacks in the wild exploiting the above issues.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Aruba EdgeConnect)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.