The recent addition of a critical security flaw, CVE-2023-28461, to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog has raised concerns regarding the vulnerability in Array Networks products. Specifically impacting the ArrayOS AG and vxAG series running version 9.4.0.481 and earlier, this flaw has been classified as an Improper Authentication Vulnerability.
This vulnerability allows attackers to exploit the flaw for remote code execution on the vulnerable systems. By bypassing authentication, attackers can execute arbitrary code on affected devices, posing a serious threat to the security of the systems. The flaw can be exploited through a specially crafted HTTP request, enabling unauthorized access to local files or potentially leading to remote code execution on the SSL VPN gateway.
The details of CVE-2023-28461 highlight the risk of remote code execution. The vulnerability in the Array AG and vxAG products, designed to provide secure VPN services, allows attackers to browse the system’s filesystem without authentication by using the flags attribute in the HTTP header. This exploitation can lead to the execution of code remotely on the device, potentially compromising the entire system.
According to Array Networks’ Security Advisory, this issue can be exploited through a vulnerable URL, enabling attackers to read sensitive files or execute arbitrary commands. The missing authentication for critical functions poses a significant security risk, especially in environments where Array Networks products are used to secure internal communications.
CISA’s inclusion of this vulnerability in the KEV catalog underscores the seriousness of the risk to organizations using the affected products. With a high Common Vulnerability Scoring System (CVSS) severity rating of 9.8, the vulnerability’s potential impact is substantial. It could allow attackers to read sensitive files, execute arbitrary code, and compromise the confidentiality, integrity, and availability of the affected systems.
While the vulnerability affects several Array Networks products, including the Array AG series running ArrayOS AG version 9.x and the vxAG series within the same software version range, newer products running ArrayOS AG version 10.x or higher are not impacted. Organizations are strongly advised to apply vendor patches or discontinue using vulnerable versions to mitigate risks effectively.
Addressing vulnerabilities like CVE-2023-28461 is crucial for businesses relying on VPNs and remote access to ensure security. Timely patching and mitigation efforts are essential to prevent exploitation and maintain the integrity of systems. The severity of this vulnerability reinforces the importance of proactive security measures to safeguard against potential cyber threats.