Aruba Networks has issued a bumper advisory for its EdgeConnect Enterprise product that includes vulnerabilities exploitable for remote code execution (RCE) and more.
Patched versions of the software include ECOS 9.2.2.0 and above, 9.1.4.0 and above, ECOS 9.0.8.0 and above, and ECOS 8.3.8.0 and above.
Eight of the vulnerabilities are rated “high” severity.
CVE-2022-37919 is an API vulnerability.
Aruba’s advisory states that “an unauthenticated attacker can exploit this condition via the web-based management interface to create a denial-of-service condition which prevents the appliance from properly responding to API requests.”
Seven separate vulnerabilities – CVE-2022-37920, CVE-2022-37921, CVE-2022-37922, CVE-2022-37923, CVE-2022-37924, CVE-2022-43541 and CVE-2022-43542 – allow authenticated remote attackers to run arbitrary commands at the command line interface.
An attacker would need login credentials to the target system, but the result of an exploit would be “complete system compromise," Aruba said.
They were discovered by Bill Marquette, Daniel Jensen and Erik De Jong and reported through the company’s bug bounty program.
CVE-2022-44533, discovered by Erik De Jong, is a bug in the web management interface that lets an authenticated remote attacker run arbitrary commands on the underlying host.
There are also three vulnerabilities rated “medium” severity: CVE-2022-37925 and CVE-2022-37926 (affecting the web management interface); and CVE-2022-43518, a path traversal bug.
Aruba said it is not aware of any exploit code targeting any of these vulnerabilities.
