Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise.
The attacker authenticates remotely via SSH using default login credentials or a hardcoded DSA private key embedded in the device software. After gaining access with limited privileges, they overwrite the /ca/bin/monitor.sh file, which has write permissions for all users (world-writable), with their own malicious code. They then activate monitor debug mode using the 'backend -c "debug monitor on"' command, which causes the modified script to be executed with root privileges through the backend binary.
The attacker gains full system takeover with root privileges (RCE as root), which means the ability to arbitrarily modify device configuration, steal data, and perform further lateral movement in the network.
Apply patches available from the manufacturer according to the references. As immediate actions, it is recommended to: block external SSH access to devices at the firewall level, change or disable default SSH accounts, and monitor the integrity of the /ca/bin/monitor.sh file.
Array Networks vAPV version 8.3.2.17 and Array Networks vxAG version 9.2.0.34
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X