Shared SSH Static Host Keys in EdgeConnect SD-WAN Orchestrator
CVE-2023-37426

7.4HIGH

Key Information:

Vendor: HP
Status: Edgeconnect Sd-wan Orchestrator
Vendor: CVE Published:; 22 August 2023

Summary

Instances of Aruba EdgeConnect SD-WAN Orchestrator prior to the resolutions provided in the advisory were found to utilize shared static SSH host keys across all installations. This vulnerability presents an opportunity for attackers to spoof the SSH host signature, allowing them to pose as a legitimate Orchestrator host and potentially gain unauthorized access.

Affected Version(s)

EdgeConnect SD-WAN Orchestrator Orchestrator 9.3.x

EdgeConnect SD-WAN Orchestrator Orchestrator 9.2.x

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 22, 2023
Vulnerability Reserved
Jul 5, 2023

Credit

Dean Freeman

Carmody Rauch