CVE-2023-28460
📋 TL;DR
A command injection vulnerability in Array Networks APV products allows authenticated administrators to execute arbitrary shell commands via crafted packets. This affects APV appliances running vulnerable firmware versions, potentially leading to complete system compromise.
💻 Affected Systems
- Array Networks APV (Application Delivery Controller)
📦 What is this software?
Array Os by Arraynetworks
Array Os by Arraynetworks
Array Os by Arraynetworks
Array Os by Arraynetworks
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root access, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Unauthorized administrative access leading to configuration changes, credential theft, and network foothold establishment.
If Mitigated
Limited impact due to strong authentication controls, network segmentation, and administrator account monitoring.
🎯 Exploit Status
Exploitation requires administrator credentials; once authenticated, command injection is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.6.1.262 or newer, 10.4.2.93 or newer
Restart Required: Yes
Instructions:
1. Download firmware update from Array Networks support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot appliance. 5. Verify version and functionality.
🔧 Temporary Workarounds
Restrict Administrative Access
allLimit administrative interface access to trusted IP addresses only.
Configure firewall rules to restrict access to APV management interfaces
Implement Multi-Factor Authentication
allAdd MFA to administrator accounts to reduce credential compromise risk.
Configure RADIUS or TACACS+ with MFA for administrative access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate APV appliances from critical systems
- Enforce least privilege for administrator accounts and monitor all administrative activity
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > About) or CLI (show version). Compare against patched versions.Check Version:
show version (CLI) or navigate to System > About (web interface)Verify Fix Applied:
Confirm firmware version is 8.6.1.262+ or 10.4.2.93+ and test administrative functions for stability.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative login patterns
- Command execution in system logs
- Configuration changes from unexpected sources
Network Indicators:
- Unexpected outbound connections from APV appliances
- Anomalous traffic patterns to/from management interfaces
SIEM Query:
source="APV" AND (event_type="command_execution" OR user="admin" AND action="modify_config")🔗 References
- https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_Command_Injection_Vulnerabilities_APV_ID-133258.pdf
- https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_Command_Injection_Vulnerabilities_APV_ID-133258.pdf
