The US cybersecurity agency CISA on Monday warned of the in-the-wild exploitation of a critical-severity vulnerability in Array Networks’ Array AG and vxAG secure access gateway products.
The issue, tracked as CVE-2023-28461 (CVSS score of 9.8), is described as a remote code execution (RCE) flaw that “allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags attribute in HTTP header without authentication.”
An attacker could exploit the vulnerability against Array AG/vxAG products running a vulnerable iteration of ArrayOS AG 9.x. In March 2023, the US-based networking hardware maker Array Networks announced (PDF) that patches for the bug were included in ArrayOS AG version 9.4.0.484, available for download through its support portal.
Last week, Trend Micro reported that CVE-2023-28461 had been exploited by Earth Kasha in attacks exploiting vulnerable SSL-VPN and file storage services against advanced technology organizations and government agencies in Japan, Taiwan, and India.
Earth Kasha, also known as MirrorFace, is a threat actor operating under the APT10 umbrella, but believed to be a different entity than APT10, the China-linked state sponsored hacking group also tracked as Bronze Riverside, Cicada, Potassium, Red Apollo, and Stone Panda.
According to Trend Micro, Earth Kasha has exploited the Array bug along with Proself and FortiOS/FortiProxy flaws (namely CVE-2023-45727 and CVE-2023-27997) for initial access, and then deployed backdoors such as Cobalt Strike, LodeInfo, and NoopDoor, for persistence.
On Monday, CISA added CVE-2023-28461 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to hunt for vulnerable Array instances in their environments and patch them as soon as possible.
“Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway,” CISA notes.
Advertisement. Scroll to continue reading.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until December 16 to apply patches for the exploited Array vulnerability. However, all organizations are advised to review CISA’s KEV list and apply the necessary remediations as soon as possible.
Related: Recent Zyxel Firewall Vulnerability Exploited in Ransomware Attacks
Related: NIST Explains Why It Failed to Clear CVE Backlog
Related: UN Experts Urge United Nations to Lay Foundations for Global Governance of Artificial Intelligence
Related: CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief