CISA added the Array Networks vulnerability, tracked as CVE-2024-28461, to the Known Exploited Vulnerabilities Catalog, acknowledging its active exploitation. CISA urged users to patch the vulnerability before December 16, 2024. Successful exploitation of the vulnerability may allow an unauthenticated attacker to execute arbitrary code on the target system.
The ArrayOS is a purpose-built and customized operating system configured as a secure embedded/real-time network OS.
Vulnerability Description
The vulnerability has a critical severity rating with a CVSS score of 9.8. This web security vulnerability allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using the flags attribute in the HTTP header without authentication. The product can be exploited through a vulnerable URL.
Affected versions
The vulnerability affects ArrayOS AG 9.4.0.481 and earlier versions.
Array AG/vxAG series products running ArrayOS AG 9.x versions, the vulnerability can be exploited without authentication.
Note: The vulnerability does not affect AVX, APV, ASF, and AG/vxAG (running ArrayOS AG 10.x versions) series products.
Mitigation
Customers must upgrade to Array AG version 9.4.0.484 to patch the vulnerability.
For more information about the mitigation, please refer to Array Networks Security Advisory.
Workaround
Customers using Client Security must disable the feature while implementing the workaround until a fix is available.
Run the following site commands:
- CLI command: switch <virtual_site_name>
- CLI command: config term
- CLI command: client security off
- CLI command: filter on
- CLI command: filter mode “blacklist”
- CLI command: filter url keyword deny “client_sec”
- CLI command: filter url keyword deny “%00”
The workaround affects the following functions:
- Client Security function
- VPN client automatic upgrade function
- Portal User Resource function
Qualys Detection
Qualys customers can scan their devices with QID 78060 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
