The US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Monday about the active exploitation of a critical vulnerability in Array Networks Array AG and vxAG secure access gateway products.
Details of the Vulnerability:
The flaw, tracked as CVE-2023-28461 and rated with a CVSS score of 9.8, is a remote code execution (RCE) vulnerability. It allows attackers to browse the filesystem or execute remote code on the SSL VPN gateway using the flags attribute in the HTTP header without authentication.
Affected Products:
This vulnerability affects Array AG/vxAG products running a vulnerable version of ArrayOS AG 9.x. In March 2023, Array Networks released a patch for this vulnerability in ArrayOS AG version 9.4.0.484, which is available for download through their support portal.
Exploitation by Earth Kasha:
Last week, Trend Micro reported that the vulnerability had been exploited by the threat actor known as Earth Kasha. This group, operating under the APT10 umbrella, has targeted advanced technology organizations and government agencies in Japan, Taiwan, and India by exploiting this and other vulnerabilities in SSL-VPN and file storage services. Earth Kasha, also known as MirrorFace, has utilized other flaws, including Proself and FortiOS/FortiProxy vulnerabilities (CVE-2023-45727 and CVE-2023-27997), to gain initial access and deploy persistent backdoors like Cobalt Strike, LodeInfo, and NoopDoor.
CISA’s Response:
CISA has added CVE-2023-28461 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to identify and patch vulnerable Array instances in their environments by December 16, as mandated by Binding Operational Directive (BOD) 22-01. Additionally, all organizations are advised to review CISA’s KEV list and apply the necessary remediations promptly.
CISA Statement:
“Array Networks AG and vxAG ArrayOS contain a missing authentication for a critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway,” CISA notes in its advisory.