Critical Vulnerabilities in Aruba EdgeConnect Enterprise Orchestrator

Aruba has released security updates to address three critical vulnerabilities (CVE-2022-37913, CVE-2022-37914 and CVE-2022-37915) in their Wide Area Network (WAN) management solution, EdgeConnect Enterprise Orchestrator.

Two of the vulnerabilities, CVE-2022-37913 and CVE-2022-37914, are authentication bypass vulnerabilities. Successful exploitation could allow an unauthenticated attacker to bypass authentication and perform privilege escalation to the administrator level, completely compromising the Aruba EdgeConnect Enterprise Orchestrator host.

The third vulnerability (CVE-2022-37915) could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation could allow an unauthenticated attacker to perform remote code execution (RCE), leading to a complete system compromise.

The product versions that address all three vulnerabilities are as follows:

• Aruba EdgeConnect Enterprise Orchestrator 9.2.0.40405 and above

• Aruba EdgeConnect Enterprise Orchestrator 9.1.3.40197 and above

• Aruba EdgeConnect Enterprise Orchestrator 9.0.7.40110 and above

• Aruba EdgeConnect Enterprise Orchestrator 8.10.23.40015 and above

Administrators and users of affected products are advised to upgrade to the latest versions immediately, and to restrict both Command Line Interface (CLI) and web-based management interfaces to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.

More information is available here:

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt

https://securityaffairs.co/wordpress/137000/security/aruba-edgeconnect-flaws.html