A severe vulnerability (CVE-2023-28461) in Array Networks' vxAG ArrayOS has been disclosed, allowing unauthenticated attackers to bypass authentication mechanisms and gain administrative access to affected systems. This critical flaw impacts versions before 10.2r1 and poses significant risks to enterprise networks using these appliances for secure remote access.

Understanding the Vulnerability

The vulnerability resides in the authentication component of ArrayOS, the operating system powering Array Networks' vxAG application delivery controllers. Attackers can exploit this flaw by sending specially crafted requests to the management interface, effectively bypassing password requirements and gaining full system control without valid credentials.

Key characteristics of CVE-2023-28461:
- CVSS v3.1 Base Score: 9.8 (Critical)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None

Affected Products and Versions

The vulnerability specifically impacts:
- Array Networks vxAG appliances running ArrayOS
- All versions prior to 10.2r1

Organizations using these devices for:
- SSL VPN services
- Secure remote access solutions
- Application delivery controllers

Should immediately verify their deployment versions.

Potential Impact and Risks

Successful exploitation of this vulnerability could allow attackers to:
- Gain administrative access to the appliance
- Modify network configurations
- Intercept encrypted traffic
- Use the compromised device as a pivot point into internal networks
- Deploy persistent backdoors

Given that these devices typically sit at network perimeters, the potential for lateral movement into protected networks is particularly concerning.

Detection and Mitigation

Immediate Workarounds

While awaiting patching, organizations can:
1. Restrict management interface access to trusted IPs only
2. Implement network segmentation to isolate vxAG appliances
3. Monitor for unusual authentication attempts

Permanent Fix

Array Networks has released ArrayOS version 10.2r1 to address this vulnerability. The update includes:
- Proper authentication validation checks
- Enhanced request verification
- Additional security hardening measures

Remediation Steps

  1. Inventory Check: Identify all vxAG appliances in your environment
  2. Version Verification: Confirm current ArrayOS versions
  3. Patch Implementation: Upgrade to 10.2r1 following Array Networks' guidelines
  4. Post-Patch Validation: Verify proper functionality after update
  5. Monitoring: Implement enhanced logging for authentication events

CISA Advisory and Response

The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch by specified deadlines. Private sector organizations are strongly encouraged to follow suit.

Best Practices for ArrayOS Security

Beyond addressing this specific vulnerability, organizations should:
- Regularly review and update appliance firmware
- Implement multi-factor authentication where possible
- Conduct periodic security assessments of network appliances
- Maintain comprehensive logging of administrative activities
- Develop incident response plans specific to network appliance compromises

Timeline and Disclosure

  • Vulnerability discovered: March 2023
  • Vendor notification: March 2023
  • Patch released: April 2023
  • Public disclosure: May 2023

Looking Forward

This incident highlights the critical importance of:
1. Timely patch management for network appliances
2. Regular security assessments of perimeter devices
3. Defense-in-depth strategies for network security

Organizations using Array Networks products should prioritize remediation of this vulnerability given its critical nature and the sensitive position these appliances typically occupy in network architectures.