Hackers Exploit Critical Bug in Array Networks SSL VPN Products
Summary:
CISA has received recent evidence of threat actors actively exploiting an RCE vulnerability in some SSL VPN products from Array Networks. The products affected are Array Networks AG and vxAG ArrayOS. Array Networks AG Series (hardware appliances) and vxAG Series (virtual appliances) are SSL VPN products that offer secure remote and mobile access to corporate networks, enterprise applications, and cloud services. This security flaw is tracked as CVE-2023-28461 and carries a critical CVSS score of 9.8. The agency added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after receiving the evidence. The flaw can be exploited through a vulnerable URL and is an improper authentication issue that allows remote code execution in Array AG Series and vxAG version 9.4.0.481 and earlier. CVE-2023-28461 is a web security vulnerability that allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags attribute in HTTP header without authentication according to the security bulletin. The flaw was disclosed last year on March 9 and Array Networks provided a fixed version about a week later with the release of Array AG version 9.4.0.484. According to Array Networks, over 5000 customers currently use these products in their corporate environments. CISA did not disclose any details regarding which adversary is leveraging CVE-2023-28461 in the attacks.
Security Officer Comments:
CISA has recommended that all federal agencies and critical infrastructure organizations apply security updates and available mitigations by December 16 or stop using the product. It is paramount that organizations stay updated on the latest security updates and apply the latest security patches if possible. Array has provided countermeasures in the form of site commands to mitigate the vulnerability until an organization can implement the updated version. The critical nature of CVE-2023-28461 necessitates immediate attention and remediation due to the evidence of active exploitation by attackers and the potential for a significant data breach or major operational disruption.
Suggested Corrections:
Security updates for the impacted products are available through the Array support portal. The vendor also provides in the security advisory a set of commands to mitigate the vulnerability if updates cannot be installed immediately. Organizations should first test the effect of the commands as they may have a negative impact on the functionality of Client Security, the VPN client's ability to upgrade automatically, and the Portal User Resource function.
Link(s):
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-bug-in-array-networks-ssl-vpn-products/
CISA has received recent evidence of threat actors actively exploiting an RCE vulnerability in some SSL VPN products from Array Networks. The products affected are Array Networks AG and vxAG ArrayOS. Array Networks AG Series (hardware appliances) and vxAG Series (virtual appliances) are SSL VPN products that offer secure remote and mobile access to corporate networks, enterprise applications, and cloud services. This security flaw is tracked as CVE-2023-28461 and carries a critical CVSS score of 9.8. The agency added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after receiving the evidence. The flaw can be exploited through a vulnerable URL and is an improper authentication issue that allows remote code execution in Array AG Series and vxAG version 9.4.0.481 and earlier. CVE-2023-28461 is a web security vulnerability that allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags attribute in HTTP header without authentication according to the security bulletin. The flaw was disclosed last year on March 9 and Array Networks provided a fixed version about a week later with the release of Array AG version 9.4.0.484. According to Array Networks, over 5000 customers currently use these products in their corporate environments. CISA did not disclose any details regarding which adversary is leveraging CVE-2023-28461 in the attacks.
Security Officer Comments:
CISA has recommended that all federal agencies and critical infrastructure organizations apply security updates and available mitigations by December 16 or stop using the product. It is paramount that organizations stay updated on the latest security updates and apply the latest security patches if possible. Array has provided countermeasures in the form of site commands to mitigate the vulnerability until an organization can implement the updated version. The critical nature of CVE-2023-28461 necessitates immediate attention and remediation due to the evidence of active exploitation by attackers and the potential for a significant data breach or major operational disruption.
Suggested Corrections:
Security updates for the impacted products are available through the Array support portal. The vendor also provides in the security advisory a set of commands to mitigate the vulnerability if updates cannot be installed immediately. Organizations should first test the effect of the commands as they may have a negative impact on the functionality of Client Security, the VPN client's ability to upgrade automatically, and the Portal User Resource function.
Link(s):
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-bug-in-array-networks-ssl-vpn-products/