HPE Aruba Networking EdgeConnect SD-WAN Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in the command line interface of HPE Aruba Networking EdgeConnect SD-WAN Gateways. This vulnerability allows authenticated attackers to exploit built-in script execution capabilities, potentially leading to the execution of arbitrary commands on the underlying operating system. The issue arises when the feature is enabled without proper security measures. Affected versions include EdgeConnect SD-WAN Release Stream 9.5.3.x and below, 9.4.3.x and below, as well as all versions of EdgeConnect SD-WAN 9.2.x.x and older, which are out of maintenance.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands with root privileges on the underlying operating system.

Remediation

Users are advised to upgrade to HPE Aruba Networking EdgeConnect SD-WAN versions 9.5.4.1 or 9.4.4.2. The HPE Aruba Networking EdgeConnect SD-WAN Orchestrator software version must be equal to or greater than the ECOS software version running on any HPE Aruba Networking EdgeConnect SD-WAN Gateways.