CVE-2023-37426

Published: Aug 22, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared static SSH host keys for all installations. This vulnerability could allow an attacker to spoof the SSH host signature and thereby masquerade as a legitimate Orchestrator host.

Affected (4)

Products: Arubanetworks: Edgeconnect Sd Wan Orchestrator

Arubanetworks

1 product

Edgeconnect Sd Wan Orchestrator

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Arubanetworks Edgeconnect Sd Wan Orchestrator	From 9.0.0 to 9.0.5
Arubanetworks Edgeconnect Sd Wan Orchestrator	From 9.1.0 to 9.1.7
Arubanetworks Edgeconnect Sd Wan Orchestrator	From 9.2.0 to 9.2.5
Arubanetworks Edgeconnect Sd Wan Orchestrator	Version 9.3.0

Related CWEs

CWE-798

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (2)

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt

Source: security-alert@hpe.com

Vendor Advisory

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.