===========================================================================
             AUSCERT External Security Bulletin Redistribution             
                                                                           
                              ESB-2024.1985.3                              
   VMware SD-WAN Edge and SD-WAN Orchestrator updates addresses multiple   
                         security vulnerabilities.                         
                               4 April 2024                                
                                                                           
===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware SD-WAN Edge                                      
                   VMware SD-WAN Orchestrator                              
Publisher:         VMware                                                  
Operating System:  VMware                                                  
Resolution:        Patch/Upgrade                                           
CVE Names:         CVE-2024-22248 CVE-2024-22246 CVE-2024-22247            

Original Bulletin:
   https://www.vmware.com/security/advisories/VMSA-2024-0008.html

Comment: CVSS (Max):  7.4 CVE-2024-22246 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: VMware                                               
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Revision History:  April  4 2024: Fixed bulletin title error
                   April 03 2024: Fixed product formatting issue
                   April 03 2024: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory ID: VMSA-2024-0008
CVSSv3 Range: 7.4-4.8
Issue Date: 2024-04-02
Updated On: 2024-04-02 (Initial Advisory)
CVE(s): CVE-2024-22246, CVE-2024-22247, CVE-2024-22248
Synopsis: VMware SD-WAN Edge and SD-WAN Orchestrator updates address multiple
security vulnerabilities.

1. Impacted Products

VMware SD-WAN Edge

VMware SD-WAN Orchestrator

2. Introduction

Multiple vulnerabilities in VMware SD-WAN were privately reported to VMware.
Patches and instructions are available to remediate the vulnerabilities in
affected VMware products.

3a. Unauthenticated Command Injection vulnerability in SD-WAN Edge
(CVE-2024-22246)

Description

VMware SD-WAN Edge contains an unauthenticated command injection vulnerability
potentially leading to remote code execution. VMware has evaluated the severity
of this issue to be in the Important severity range with a maximum CVSSv3 base
score of 7.4.

Known Attack Vectors

A malicious actor with local access to the Edge Router UI during activation may
be able to perform a command injection attack that could lead to full control
of the router.

Resolution

To remediate CVE-2024-22246 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None

Notes

None.

Acknowledgements

VMware would like to thank Saif Aziz (@wr3nchsr) from CyShield for reporting
this issue to us.

3b. Missing Authentication and Protection Mechanism vulnerability in SD-WAN
Edge (CVE-2024-22247)

Description

VMware SD-WAN Edge contains a missing authentication and protection mechanism
vulnerability. VMware has evaluated the severity of this issue to be in the
Moderate severity range with a maximum CVSSv3 base score of 4.8.

Known Attack Vectors

A malicious actor with physical access to the SD-WAN Edge appliance during
activation can potentially exploit this vulnerability to access the BIOS
configuration. In addition, the malicious actor may be able to exploit the
default boot priority configured.

Resolution

To remediate CVE-2024-22247 apply the instructions listed in the 'Fixed
Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Saif Aziz (@wr3nchsr) from CyShield for reporting
this issue to us.

3c. Open redirect vulnerability in SD-WAN Orchestrator (CVE-2024-22248)

Description

VMware SD-WAN Orchestrator contains an open redirect vulnerability. VMware has
evaluated the severity of this issue to be in the Important severity range with
a maximum CVSSv3 base score of 7.1.

Known Attack Vectors

A malicious actor may be able to redirect a victim to an attacker controlled
domain due to improper path handling leading to sensitive information
disclosure.

Resolution

To remediate CVE-2024-22248 apply the patches listed in the 'Fixed Version'
column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Abdelrahman Adel (@K4r1it0) from CyShield for
reporting this issue to us.

Response Matrix

Product        Version Running CVE Identifier  CVSSv3 Severity  Fixed      Workarounds Additional
                       On                                       Version                Documentation
VMware SD-WAN  5.x     Any     CVE-2024-22246  7.4    important 5.0.1+     N/A         N/A
(Edge)
VMware SD-WAN  4.5.x   Any     CVE-2024-22246  7.4    important 4.5.1+     N/A         N/A
(Edge)
VMware SD-WAN  4.5.x/  Any     CVE-2024-22247  4.8    moderate  KB97391    N/A         N/A
(Edge)         5.x
VMware SD-WAN  Any     Any     CVE-2024-22248  N/A    N/A       Unaffected N/A         N/A
(Edge)
VMware SD-WAN  Any     Any     CVE-2024-22246, N/A    N/A       Unaffected N/A         N/A
(Orchestrator)                 CVE-2024-22247
VMware SD-WAN  5.x     Any     CVE-2024-22248  7.1    important 5.0.1+     N/A         N/A
(Orchestrator)

4. References

https://docs.vmware.com/en/VMware-SASE/5.4.0/rn/vmware-sase-540-release-notes/
index.html

https://docs.vmware.com/en/VMware-SASE/5.3.0/rn/vmware-sase-530-release-notes/
index.html

https://docs.vmware.com/en/VMware-SASE/5.2.0/rn/vmware-sase-520-release-notes/
index.html

https://docs.vmware.com/en/VMware-SASE/5.1.0/rn/vmware-sase-510-release-notes/
index.html

https://docs.vmware.com/en/VMware-SASE/5.0.0/rn/
VMware-SASE-5000-Release-Notes.html



Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22246

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22247

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22248

FIRST CVSSv3 Calculator:
CVE-2024-22246: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/
PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2024-22247: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:H/
PR:N/UI:N/S:U/C:N/I:L/A:H

CVE-2024-22248: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:R/S:U/C:H/I:L/A:N



5. Change Log

2024-04-02 VMSA-2024-0008
Initial security advisory.

- --------------------------END INCLUDED TEXT----------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================