Analysis Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Array Networks AG and vxAG secure access gateways to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2023-28461 (CVSS score: 9.8), involves missing authentication, allowing remote code execution via HTTP header flags without authentication. The flaw was patched in March 2023 with version 9.4.0.484.

Array Networks described the vulnerability as exploitable through a specific URL, enabling attackers to browse the filesystem or execute code on the SSL VPN gateway. The update to the KEV catalog follows reports of active exploitation by Earth Kasha (aka MirrorFace), a China-linked cyber espionage group. Earth Kasha has targeted vulnerabilities in Array AG, Proself (CVE-2023-45727), and Fortinet FortiOS/FortiProxy (CVE-2023-27997) for initial access. Known for targeting Japanese entities, Earth Kasha has also attacked organizations in Taiwan, India, and Europe.

Recently, Earth Kasha exploited the flaw to deliver the ANEL backdoor to a European diplomatic entity, using the upcoming World Expo 2025 as a lure. Federal agencies have until December 16, 2024, to apply patches to secure their networks.

The inclusion of this vulnerability highlights broader concerns about China's exploitation of vulnerabilities. VulnCheck reports 15 Chinese hacking groups abusing at least one of 2023's most exploited flaws, with over 440,000 exposed hosts globally. Experts recommend robust patch management, limiting internet-facing exposure, and leveraging strong threat intelligence to mitigate risks.

Impact

• Cyber Espionage
• Remote Code Execution
• Unauthorized Gain Access

Indicators of Compromise

CVE

• CVE-2023-28461

Remediation

• Refer to Array Networks Website for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerabilities mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.