Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches

Aruba en Avaya netwerkswitches News

Cybersecurity experts have identified five serious security vulnerabilities in TLS protocol implementation in several Aruba models and Avaya switch models. These flaws could allow for remote access to corporate networks, and the theft of valuable information.

These findings are in response to the March disclosure of TLStorm. It is a series of critical flaws found in APC SmartUPS devices which could allow an attacker take control of the device and cause damage.

IoT security firm Armis, which uncovered the shortcomings, noted that the design flaws can be traced back to a common source: a misuse of NanoSSL, a standards-based SSL developer suite from Mocana, a DigiCert subsidiary.

The new set of flaws, dubbed TLStorm 2.0, renders Aruba and Avaya network switches vulnerable to remote code execution vulnerabilities, enabling an adversary to commandeer the devices, move laterally across the network, and exfiltrate sensitive data.

Affected devices include Avaya ERS3500 Series, ERS3600 Series, ERS4900 Series, and ERS5900 Series as well as Aruba 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series, and 2540 Series.

Armis chalked up the flaws to an “edge case,” a failure to adhere to guidelines pertaining to the NanoSSL library that could result in remote code execution. This is the –

bug list.

  • CVE-2022-23676 (CVSS score: 9. 1) – Two memory corruption vulnerabilities in the RADIUS client implementation of Aruba switches
  • CVE-2022-23677 (CVSS score: 9.0) – NanoSSL misuse on multiple interfaces in Aruba switches
  • CVE-2022-29860 (CVSS score: 9. 8) – TLS reassembly heap overflow vulnerability in Avaya switches
  • CVE-2022-29861 (CVSS score: 9. 8) – HTTP header parsing stack overflow vulnerability in Avaya switches
  • HTTP POST request handling heap overflow vulnerability in a discontinued Avaya product line (no CVE)

Even more concerningly, the vulnerabilities found in Avaya switches are zero-click, meaning they can be activated via unauthenticated network packets without any user interaction.

“These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure,” Barak Hadad, head of research in engineering at Armis, said.

Organizations that deploy affected Avaya or Aruba devices should apply patches to prevent any exploit attempts.

Rate author