CISA Warns Organizations to Patch Array Networks Remote Code Execution Vulnerability (CVE-2023-28461)

Posted by Author Diksha Ojha on Posted on

CISA added the Array Networks vulnerability, tracked as CVE-2024-28461, to the Known Exploited Vulnerabilities Catalog, acknowledging its active exploitation. CISA urged users to patch the vulnerability before December 16, 2024. Successful exploitation of the vulnerability may allow an unauthenticated attacker to execute arbitrary code on the target system.

The ArrayOS is a purpose-built and customized operating system configured as a secure embedded/real-time network OS.

Vulnerability Description

The vulnerability has a critical severity rating with a CVSS score of 9.8. This web security vulnerability allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using the flags attribute in the HTTP header without authentication. The product can be exploited through a vulnerable URL.

Affected versions

The vulnerability affects ArrayOS AG 9.4.0.481 and earlier versions.

Array AG/vxAG series products running ArrayOS AG 9.x versions, the vulnerability can be exploited without authentication.

Note: The vulnerability does not affect AVX, APV, ASF, and AG/vxAG (running ArrayOS AG 10.x versions) series products.

Mitigation

Customers must upgrade to Array AG version 9.4.0.484 to patch the vulnerability.

For more information about the mitigation, please refer to Array Networks Security Advisory.

Workaround

Customers using Client Security must disable the feature while implementing the workaround until a fix is available.

Run the following site commands:

  • CLI command: switch <virtual_site_name>
  • CLI command: config term
  • CLI command: client security off
  • CLI command: filter on
  • CLI command: filter mode “blacklist”
  • CLI command: filter url keyword deny “client_sec”
  • CLI command: filter url keyword deny “%00”

The workaround affects the following functions:

  • Client Security function
  • VPN client automatic upgrade function
  • Portal User Resource function

Qualys Detection

Qualys customers can scan their devices with QID 78060 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *