Security researchers have discovered five vulnerabilities in network equipment from Aruba (owned by HP) and Avaya (owned by ExtremeNetworks), that could allow malicious actors to execute code remotely on the devices.
The damage caused by a successful attack ranges from data breach and complete device takeover to lateral movement and overriding network segmentation defenses.
Security researchers from Armis cybersecurity company specialized on connected devices dubbed the vulnerability set “TLStorm 2.0” as the discovery is in the same class of issues as the of misuse of the NanoSSL TLS library, which they reported on popular APC UPS models.
The analysts found that devices from other vendors have identical security risks and provided a list of affected products:
- Avaya ERS3500
- Avaya ERS3600
- Avaya ERS4900
- Avaya ERS5900
- Aruba 5400R Series
- Aruba 3810 Series
- Aruba 2920 Series
- Aruba 2930F Series
- Aruba 2930M Series
- Aruba 2530 Series
- Aruba 2540 Series
External libraries on switches
Network switches are common elements in corporate networks, helping to enforce segmentation, a security practice that is fundamental these days in larger environments.
Their role is to act as a network bridge, connecting devices to the network and using packet switching and MAC addresses to receive and forward data to the destination device.
Using external libraries is often a convenient and cost-saving solution but sometimes this comes with implementation errors and security issues.
This practice motivates hackers to look into these tiny building blocks to find potentially exploitable flaws.
In the case of TLStorm 2.0, the cause of the problem is that the “glue logic” code used by the vendors isn’t compliant with the NanoSSL guidelines, leading to potential RCE (remote code execution).
On Aruba, NanoSSL is used for the Radius authentication server and also for the captive portal system. The way it has been implemented can lead to heap overflows of attacker data, tracked as CVE-2022-23677 and CVE-2022-23676.
On Avaya, the library implementation introduces three flaws, a TLS reassembly heap overflow (CVE-2022-29860), an HTTP header parsing stack overflow (CVE-2022-29861), and an HTTP POST request handling overflow.
The problems arise from missing error checks, missing validation steps, and improper boundary checks.
These issues are not in the library itself but in the way the vendor implemented it.
Armis presents two main exploitation scenarios that allow escaping a captive portal or breaking network segmentation, both opening up the way to high-impact cyberattacks.
In the captive portal scenario, the attacker accesses the web page of a limited network resource that requires authentication, payment, or some other form of an access token. These captive portals are typically found in hotel networks, airports, and business centers.
By exploiting TLStorm 2.0, the attacker can execute code remotely on the switch, bypassing the captive portal’s restrictions or even disabling it altogether.
Bypassing network segmentation restrictions (Armis)
In the second scenario, an attacker can use the vulnerabilities to break network segmentation and access any parts of the IT network, pivoting freely from the “guest” space to the “corporate” segment.
Armis informed Aruba and Avaya about the TLStorm 2.0 vulnerabilities three months ago, and collaborated with them on a technical level.
The threat analysts told BleepingComputer that affected customers have been notified, and patches that address most of the vulnerabilities have been issued.
Additionally, Armis told us that they are not aware of TLStorm 2.0 vulnerabilities being exploited.