CVE-2023-37426

EUVD-2023-41326
EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared static SSH host keys for all installations. This vulnerability could allow an attacker to spoof the SSH host signature and thereby masquerade as a legitimate Orchestrator
host.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
hpeCNA
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
Affected Products (NVD)
VendorProductVersion
arubanetworksedgeconnect_sd-wan_orchestrator
9.0.0 ≤
𝑥
≤ 9.0.5
arubanetworksedgeconnect_sd-wan_orchestrator
9.1.0 ≤
𝑥
≤ 9.1.7
arubanetworksedgeconnect_sd-wan_orchestrator
9.2.0 ≤
𝑥
≤ 9.2.5
arubanetworksedgeconnect_sd-wan_orchestrator
9.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt