As many as eight out of 10 companies could be at risk from five newly disclosed vulnerabilities in widely used communications switches.
Flaws in the implementation of transport layer security (TLS) communications have been found to leave a number of commonly used switches built by HP-owned Aruba and Extreme Networks-owned Avaya at risk of remote code execution (RCE).
Discovered by Armis, the set of vulnerabilities for Aruba includes NanoSSL misuse on multiple interfaces (CVE-2022-23677) and Radius client memory corruption vulnerabilities (CVE-2022-23676), while for Avaya it includes TLS reassembly heap overflow (CVE-2022-29860) and HTTP header parsing stack overflow (CVE-2022-29861).
A further vulnerability for Avaya was found in the handling of HTTP POST requests, but it has no CVE identifier because it was found in a discontinued product line, meaning no patch will be issued despite Armis data showing these devices can still be found in the wild.
According to Armis data, almost eight out of 10 companies are exposed to these vulnerabilities.
The discovery of the vulnerabilities comes in the wake of the TLStorm disclosures in March 2022, and have been dubbed TLStorm 2.0.
For reference, the original TLStorm moniker was applied to a set of critical vulnerabilities in APC Smart-UPS devices and enabled an attacker to take control of them from the internet with no user interaction by misusing Mocana’s NanoSSL TLS library.
Such incidents are becoming increasingly widespread, with the most famous recent disclosure arguably being Log4Shell.
Now, using its own database of billions of devices and device profiles, Armis’s researchers claim they have found dozens more devices using the Mocana NanoSSL library, and both Aruba and Avaya devices have turned out to be at risk of the misuse of said library. This arises because the glue logic – the code that links the vendor logic and the NanoSSL library – does not follow the NanoSSL manual guidelines.
Armis research head Barak Hadad said that although it was clear that almost every software relies on external libraries to some degree, these libraries will always present some degree of risk to the hosting software. In this case, Hadad said the Mocana NanoSSL manual has clearly not been followed properly by multiple suppliers.
“The manual clearly states the proper cleanup in case of connection error, but we have already seen multiple vendors not handling the errors properly, resulting in memory corruption or state confusion bugs,” wrote Hadad in a disclosure blog published on 3 May 2022.
He said the exploitation of these vulnerabilities could enable attackers to break out of network segmentation and achieve lateral movement to additional devices by changing the behaviour of the vulnerable switch, leading to data exfiltration of network traffic or sensitive information, and captive portal escape.
Hadad warned that TLStorm 2.0 could be especially dangerous for any organisation or facility running a free Wi-Fi service, such as airports, hospitality venues and retailers.
“These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation can no longer act as a sufficient security measure,” he wrote.
In terms of mitigations, Armis said that organisations deploying impacted Aruba devices should patch them immediately through the Aruba Support Portal, while those deploying impacted Avaya devices should check security advisories immediately in the Avaya Support Portal.
On top of specific vendor mitigations, multiple network protection layers can also be applied to mitigate the risk, incuding network monitoring and limiting the attack surface, for example by blocking the exposure of the management portal to guest network ports.
The affected devices for Aruba are the 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series and 2540 Series; the affected Avaya devices are the ERS3500 Series, ERS3600 Series, ERS4900 Series and ERS5900 Series.
All the vulnerabilities have been notified to the relevant suppliers, which worked with Armis to issue patches that address most of the problems.