TLStorm 2.0

In multiple models of both Aruba and Avaya switches, Armis has detected five vulnerabilities relating to the implementation of TLS communications. 

Using these vulnerabilities, there is a possibility that remote access could be gained to networks of enterprise companies, and confidential information could be stolen.

Following the disclosure of TLStorm last March, these findings serve as a follow-up. An attacker may be able to take control and, worse, damage the appliances via three critical flaws found in APC Smart-UPS devices.

NanoSSL, a popular TLS library offered by Mocana, was used inappropriately as the source of these vulnerabilities.

The security analysts at Armis discovered that several devices using Mocana NanoSSL are being sabotaged by the same problem even though they may come from two distinct switch vendors, but they got affected by the same misuse of NanoSSL.

Both Aruba and Avaya Networking have switches that are vulnerable to RCE flaws and over the network, all these RCE flaws can be exploited by the threat actors. And apart from this, the new set of flaws, dubbed TLStorm 2.0.

Affected Devices

The following devices are among the affected ones:-

  • Avaya ERS3500 Series
  • Avaya ERS3600 Series
  • Avaya ERS4900 Series
  • Avaya ERS5900 Series
  • Aruba 5400R Series
  • Aruba 3810 Series
  • Aruba 2920 Series
  • Aruba 2930F Series
  • Aruba 2930M Series
  • Aruba 2530 Series
  • Aruba 2540 Series

Vulnerabilities Detected

The vulnerabilities were due to what Armis called an “edge case,” an inability to follow the guidelines regarding the NanoSSL library, which could have led to RCE (Remote Code Execution).

And here we have mentioned all the security flaws detected by the security analysts:-

  • CVE ID: CVE-2022-23676 
  • Summary: Two memory corruption vulnerabilities in the RADIUS client implementation of Aruba switches.
  • CVSS score: 9.1
  • Severity: Critical
  • CVE ID: CVE-2022-23677
  • Summary: NanoSSL misuse on multiple interfaces in Aruba switches.
  • CVSS score: 9.0
  • Severity: Critical
  • CVE ID: CVE-2022-29860
  • Summary: TLS reassembly heap overflow vulnerability in Avaya switches.
  • CVSS score: 9.8
  • Severity: Critical
  • CVE ID: CVE-2022-29861
  • Summary: HTTP header parsing stack overflow vulnerability in Avaya switches.
  • CVSS score: 9.8
  • Severity: Critical
  • CVE ID: N/A 
  • Flaw: HTTP POST request handling heap overflow vulnerability in a discontinued Avaya product line.
  • CVSS score: N/A
  • Severity: N/A

Exploitation of RCE

It is important to remember that the exploitation of RCE vulnerabilities can lead to many things, such as:-

  • Breaking of network segmentation.
  • It is possible to add more devices to the switch by changing its behavior of it so that additional devices could move sideways.
  • Breach corporate network security and initiate data exfiltration.
  • Data exfiltration from internal networks to the internet is caused by the transmission of sensitive information.
  • A successful escape from the captive portal.

Moreover, the security flaws found in Avaya switches are not limited to being exploitable through unauthenticated packets of network data, meaning that they can be exploited without the involvement of the user.

In short, the security flaws found in Avaya switches are zero-day flaws. It is highly recommended that organizations that employ devices from Avaya and Aruba are patched as soon as possible so that they remain protected.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.