The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security flaw, CVE-2023-28461, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability impacts Array Networks, a company that provides secure application delivery and VPN solutions and specifically affects the ArrayOS AG and vxAG series running version 9.4.0.481 and earlier.
The vulnerability, classified as an Improper Authentication Vulnerability, allows attackers to exploit the flaw for remote code execution on the vulnerable systems. According to CISA’s official advisory, this flaw can be used to bypass authentication and execute arbitrary code on affected devices.
An attacker could exploit this vulnerability through a specially crafted HTTP request, which allows unauthorized access to local files or potentially leads to remote code execution on the SSL VPN gateway.
Details of CVE-2023-28461: Remote Code Execution Risk
The vulnerability lies in the Array AG and vxAG products, which are designed to provide secure VPN services for businesses. These devices run ArrayOS AG, and the flaw is specifically present in versions up to and including 9.4.0.481. By exploiting this vulnerability, an attacker can use the flags attribute in the HTTP header to browse the system’s filesystem without requiring authentication. If successfully exploited, this allows attackers to execute code remotely on the device, potentially leading to complete system compromise.
According to Array Networks’ Security Advisory, this issue can be exploited through a vulnerable URL, allowing attackers to carry out a variety of malicious activities such as reading sensitive files or executing arbitrary commands. The vulnerability is due to missing authentication for critical functions, which could lead to severe security breaches, particularly in environments where Array Networks products are used to secure internal communications.
Exploitation and Impact
CISA’s inclusion of this vulnerability in the KEV catalog indicates a serious risk to organizations that use the affected products. The Exploit Prediction Scoring System (EPSS) places the likelihood of exploitation activity in the next 30 days at 0.32%. While this may seem low, vulnerabilities in widely used networking and security devices are often quickly exploited by threat actors, making early mitigation crucial.
The Common Vulnerability Scoring System (CVSS) has assigned the vulnerability a critical severity rating of 9.8. This high score reflects the potential impact of an exploit, which could allow attackers to read sensitive files, execute arbitrary code, and compromise the confidentiality, integrity, and availability of the affected systems.
The vulnerability affects several Array Networks products, specifically the Array AG series running ArrayOS AG version 9.x (up to and including 9.4.0.481) and the vxAG series within the same software version range. However, it does not impact the Array Networks AVX, APV, ASF, or any newer AG/vxAG series products that are running ArrayOS AG version 10.x or higher.
Conclusion
CVE-2023-28461 is a critical Improper Authentication Vulnerability affecting Array Networks AG and vxAG products, with the potential for remote code execution and severe security breaches. CISA’s inclusion of this vulnerability in its KEV catalog highlights the urgency for organizations to take immediate action.
Affected users are strongly advised to apply the vendor’s patches or discontinue using vulnerable versions if a fix is unavailable. While workarounds can mitigate risks temporarily, they may affect other features, highlighting the importance of timely patching. As businesses rely heavily on VPNs and remote access, addressing vulnerabilities like CVE-2023-28461 is crucial to maintaining security.
