Description
Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
High
Integrity (Subsequent System)
High
Availability (Subsequent System)
High
Affected products
- Array Networks / vAPV8.3.2.17 – 8.3.2.17
- Array Networks / vxAG9.2.0.34 – 9.2.0.34
References
- EXPLOIThttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb
- MISChttps://packetstorm.news/files/id/125761
- EXPLOIThttps://www.exploit-db.com/exploits/32440
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/array-networks-vapv-vxag-default-credential-privilege-escalation