CVE-2023-37426
📋 TL;DR
EdgeConnect SD-WAN Orchestrator instances use shared static SSH host keys across all installations, allowing attackers to spoof legitimate Orchestrator hosts. This affects all EdgeConnect SD-WAN Orchestrator deployments prior to the patched versions. Attackers could impersonate legitimate Orchestrator hosts to intercept or manipulate traffic.
💻 Affected Systems
- Aruba EdgeConnect SD-WAN Orchestrator
📦 What is this software?
Edgeconnect Sd Wan Orchestrator by Arubanetworks
Edgeconnect Sd Wan Orchestrator by Arubanetworks
Edgeconnect Sd Wan Orchestrator by Arubanetworks
⚠️ Risk & Real-World Impact
Worst Case
Attackers could perform man-in-the-middle attacks, intercept sensitive SD-WAN configuration data, inject malicious configurations, or redirect traffic to malicious endpoints, potentially compromising entire SD-WAN infrastructure.
Likely Case
Attackers on the same network could spoof the Orchestrator host to intercept management traffic, potentially gaining access to SD-WAN configuration data or manipulating network policies.
If Mitigated
With proper network segmentation and monitoring, impact would be limited to potential interception of management traffic within the segmented network zone.
🎯 Exploit Status
Exploitation requires network access to the Orchestrator and knowledge of the shared SSH host key. The advisory suggests the vulnerability is actively being exploited.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions specified in ARUBA-PSA-2023-012 advisory
Vendor Advisory: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt
Restart Required: Yes
Instructions:
1. Review ARUBA-PSA-2023-012 advisory for specific patched versions. 2. Backup current configuration. 3. Apply the patch/upgrade to the specified version. 4. Restart the Orchestrator service. 5. Verify SSH host keys have been regenerated.
🔧 Temporary Workarounds
Regenerate SSH Host Keys
linuxManually regenerate unique SSH host keys for each Orchestrator instance
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ""
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
restart ssh service
Network Segmentation
allIsolate Orchestrator management interfaces to trusted networks only
🧯 If You Can't Patch
- Implement strict network access controls to limit Orchestrator SSH access to trusted IPs only
- Monitor SSH connections to Orchestrator for suspicious activity and implement alerting
🔍 How to Verify
Check if Vulnerable:
Check if SSH host key matches known shared keys from vulnerable versions. Compare ssh_host_rsa_key.pub with known vulnerable fingerprints.Check Version:
Check Orchestrator web interface or CLI for version information, or consult vendor documentation for version checking commandsVerify Fix Applied:
Verify SSH host keys have changed after patch application. Check that ssh_host_*_key files have been modified after patch installation.📡 Detection & Monitoring
Log Indicators:
- Multiple SSH connection attempts from unexpected sources
- SSH host key mismatch warnings in client logs
- Unusual SSH authentication patterns
Network Indicators:
- SSH traffic to Orchestrator from unexpected network segments
- SSH host key fingerprint mismatches during connections
SIEM Query:
source="orchestrator*" AND (event="ssh*" OR protocol="ssh") AND (src_ip NOT IN trusted_ips OR dest_ip="orchestrator_ip")