Security researchers recently uncovered five flaws in Aruba (by HP) and Avaya (by ExtremeNetworks) network equipment. They might allow malicious actors to remotely execute malware on the devices. A successful attack can result in data breaches and complete device control to lateral movement and bypass network segmentation measures.
The vulnerability set was called “TLStorm 2.0” by security experts from Armis, a cybersecurity firm specializing in connected devices, because it falls into the same category as the abuse of the NanoSSL TLS library, which they disclosed on popular APC UPS models. The researchers discovered that devices from other suppliers pose the same security vulnerabilities, and they offered a list of products that are affected:
- Avaya ERS3500
- Avaya ERS3600
- Avaya ERS4900
- Avaya ERS5900
- Aruba 2530 Series
- Aruba 2540 Series
- Aruba 2920 Series
- Aruba 2930F Series
- Aruba 2930M Series
- Aruba 3810 Series
- Aruba 5400R Series
Network switches are widespread in business networks because they enforce segmentation, a security strategy that is becoming increasingly important in bigger organizations. Their job is to operate as a network bridge, connecting devices to the network and receiving and forwarding data to the target device using packet switching and MAC addresses.
External libraries are typically a quick and cost-effective option, but they can also lead to implementation problems and security concerns. This method encourages hackers to examine these minor components for possibly exploitable weaknesses. The root of the problem with TLStorm 2.0 is that the manufacturers’ “glue logic” code isn’t consistent with the NanoSSL requirements, resulting in potential RCE (remote code execution).
NanoSSL is used by Aruba for both the Radius authentication server and the captive portal system. CVE-2022-23677 and CVE-2022-23676 have been assigned to it because of the way it has been implemented, which can result in heap overflows of attacker data. The library implementation on Avaya presents three flaws: a TLS reassembly memory overflow (CVE-2022-29860), an HTTP header parsing stack overflow (CVE-2022-29861), and an HTTP POST request handling overflow. Missing error checks, missing validation stages, and faulty boundary checks are the causes of the issues. These problems stem from the vendor’s implementation of the library, not from the library itself.
Armis demonstrates two critical exploitation scenarios: leaving a captive portal and breaking network segmentation, both of which allow for high-impact attacks. The attacker views the web page of a constrained network resource that requires authentication, payment, or some other type of access token in the captive portal scenario. Hotel chains, airports, and business centers are familiar places to find captive portals.
The attacker may use TLStorm 2.0 to remotely execute code on the switch, circumventing the captive portal’s constraints or removing it entirely. In the second scenario, an attacker can use the flaws to break network segmentation and get access to any section of the IT network, pivoting easily from the “guest” to the “corporate” segment.
Three months ago, Armis alerted Aruba and Avaya about the TLStorm 2.0 vulnerabilities and worked with them on a technical level. According to threat experts, affected clients have been warned, and fixes that address most vulnerabilities have been delivered. Furthermore, Armis said they are not aware of any TLStorm 2.0 flaws being exploited.
