Lucene search

HpeCVELIST:CVE-2023-37426

HistoryAug 22, 2023 - 6:02 p.m.

CVE-2023-37426 Shared SSH Static Host Keys in EdgeConnect SD-WAN Orchestrator

2023-08-2218:02:22

hpe

www.cve.org

cve-2023-37426

ssh key spoofing

edgeconnect sd-wan orchestrator

security vulnerability

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

28.6%

JSON

EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared static SSH host keys for all installations. This vulnerability could allow an attacker to spoof the SSH host signature and thereby masquerade as a legitimate Orchestrator
host.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "EdgeConnect SD-WAN Orchestrator",
    "vendor": "Hewlett Packard Enterprise (HPE)",
    "versions": [
      {
        "lessThanOrEqual": "<=9.3.0",
        "status": "affected",
        "version": "Orchestrator 9.3.x",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "<=9.2.5",
        "status": "affected",
        "version": "Orchestrator 9.2.x",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "<=9.1.7",
        "status": "affected",
        "version": "Orchestrator 9.1.x",
        "versionType": "semver"
      }
    ]
  }
]

References

www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

28.6%

JSON

Related for CVELIST:CVE-2023-37426