Description
EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared static SSH host keys for all installations. This vulnerability could allow an attacker to spoof the SSH host signature and thereby masquerade as a legitimate Orchestrator host.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected products
- Hewlett Packard Enterprise (HPE) / EdgeConnect SD-WAN OrchestratorOrchestrator 9.3.x – <=9.3.0
- Hewlett Packard Enterprise (HPE) / EdgeConnect SD-WAN OrchestratorOrchestrator 9.2.x – <=9.2.5
- Hewlett Packard Enterprise (HPE) / EdgeConnect SD-WAN OrchestratorOrchestrator 9.1.x – <=9.1.7