One Article Review
| Source |  Techworm |
|---|---|
| Identifiant | 8630527 |
| Date de publication | 2024-11-26 15:31:37 (vue: 2024-12-27 09:08:19) |
| Titre | CISA Warns of Active Exploitation of Critical Array Networks Vulnerability |
| Texte | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched but high-severity vulnerability affecting Array Networks AG’s vxAG ArrayOS to its Known Exploited Vulnerabilities (KEV) catalog.
The move follows reports of active exploitation in the wild.
The flaw, identified as CVE-2023-28461 and rated 9.8 on the CVSS scale, arises from a missing authentication for a critical vulnerability within vxAG ArrayOS, the operating system that powers Array AG and vxAG series SSL VPN gateways.
Successful exploitation of the flaw could allow unauthenticated attackers to gain access, potentially compromising sensitive data or the entire network.
This could pose significant risks to government systems and the private sector.
“Array AG/vxAG remote code execution vulnerability enables attackers to browse the filesystem or execute remote code on the SSL VPN gateway using a flag attribute in HTTP headers without authentication. The product can be exploited via a vulnerable URL,” Array Networks stated in a support page.
This vulnerability mainly affects ArrayOS AG 9.4.0.481 and earlier versions. However, it does not impact AVX, APV, ASF, and AG/vxAG (running ArrayOS AG 10.x versions) series products.
Array Networks addressed the flaw with the release of ArrayOS AG version 9.4.0.484 in March 2023.
The network hardware vendor strongly recommends that organizations update their affected devices to this version immediately.
Array Networks has provided temporary mitigation measures for organizations that cannot implement the fix immediately.
These involve disabling functionalities like Client Security, VPN client automatic upgrades, and Portal User Resources, along with setting up blacklist rules to block malicious traffic.
More detailed instructions for these workarounds are available on the Array Networks support portal.
Evidence of active exploitation of this vulnerability has led CISA to mandate Federal Civilian Executive Branch (FCEB) agencies to apply the patches by December 16, 2024, to mitigate the risk.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched but high-severity vulnerability affecting Array Networks AG’s vxAG ArrayOS to its Known Exploited Vulnerabilities (KEV) catalog. The move follows reports of active exploitation in the wild. The flaw, identified as CVE-2023-28461 and rated 9.8 on the CVSS scale, arises from a missing authentication for a critical vulnerability within vxAG ArrayOS, the operating system that powers Array AG and vxAG series SSL VPN gateways. Successful exploitation of the flaw could allow unauthenticated attackers to gain access, potentially compromising sensitive data or the entire network. This could pose significant risks to government systems and the private sector. “Array AG/vxAG remote code execution vulnerability enables attackers to browse the filesystem or execute remote code on the SSL VPN gateway using a flag attribute in HTTP headers without authentication. The product can be exploited via a vulnerable URL,” Array Networks stated in a support page. This vulnerability mainly affects ArrayOS AG 9.4.0.481 and earlier versions. However, it does not impact AVX, APV, ASF, and AG/vxAG (running ArrayOS AG 10.x versions) series products. Array Networks addressed the flaw with the release of ArrayOS AG version 9.4.0.484 |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | “array 2023 2024 28461 481 484 access active added addressed affected affecting affects ag’s ag/vxag agencies agency allow along apply apv are arises array arrayos asf attackers attribute authentication automatic available avx blacklist block branch browse but can cannot catalog cisa civilian client code compromising could critical cve cvss cybersecurity data december detailed devices disabling does earlier enables entire evidence execute execution executive exploitation exploited fceb federal filesystem fix flag flaw follows from functionalities gain gateway gateways government hardware has headers high however http identified immediately impact implement infrastructure instructions involve its kev known led like mainly malicious mandate march measures missing mitigate mitigation monday more move network networks not now operating organizations page patched patches portal pose potentially powers private product products provided rated recommends release remote reports resources risk risks rules running scale sector security sensitive series setting severity significant ssl stated strongly successful support system systems temporary these traffic unauthenticated update upgrades url user using vendor version versions vpn vulnerabilities vulnerability vulnerable vxag warns wild within without workarounds |
| Tags | Vulnerability |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.