CVE-2023-37422
📋 TL;DR
This stored XSS vulnerability in EdgeConnect SD-WAN Orchestrator allows authenticated attackers to inject malicious scripts into the web interface. When an administrative user views the compromised page, the attacker can execute arbitrary code in their browser session. This affects organizations using vulnerable versions of Aruba's EdgeConnect SD-WAN Orchestrator.
💻 Affected Systems
- Aruba EdgeConnect SD-WAN Orchestrator
📦 What is this software?
Edgeconnect Sd Wan Orchestrator by Arubanetworks
Edgeconnect Sd Wan Orchestrator by Arubanetworks
Edgeconnect Sd Wan Orchestrator by Arubanetworks
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative privileges, steals session tokens, modifies configurations, or deploys malware across the SD-WAN infrastructure.
Likely Case
Attacker hijacks administrative sessions to access sensitive data, modify network policies, or disrupt SD-WAN operations.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy in place.
🎯 Exploit Status
Requires authenticated attacker and victim administrator interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.2.5.0 and later
Vendor Advisory: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt
Restart Required: Yes
Instructions:
1. Download patch from Aruba support portal. 2. Backup current configuration. 3. Apply patch following vendor instructions. 4. Restart affected services. 5. Verify fix and functionality.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement strict input validation and output encoding for user-supplied data in web interface.
Configuration-dependent - implement in web application code
Content Security Policy
allDeploy CSP headers to restrict script execution sources.
Add 'Content-Security-Policy' header to web server configuration
🧯 If You Can't Patch
- Restrict access to management interface using network segmentation and firewall rules
- Implement web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check orchestrator version via web interface or CLI. Versions below 9.2.5.0 are vulnerable.Check Version:
show version (CLI) or check About page in web interfaceVerify Fix Applied:
Verify version is 9.2.5.0 or later and test XSS payloads are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags in web interface logs
- Multiple failed login attempts followed by successful authentication
Network Indicators:
- Unusual HTTP POST requests with script payloads to management interface
SIEM Query:
source="web_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")