Several lines of network switches made by Aruba Networks, owned by Hewlett Packard Enterprise, and Avaya, owned by Extreme Networks, are vulnerable to attacks that could allow attackers to disrupt network segments, leak data from internal networks to the Internet, and escape captive portals. These The flaw stems from mistakes made by vendors implementing popular embedded TLS libraries.
The vulnerabilities are rated critical and could lead to remote code execution (RCE), according to researchers at the security firm Armis, who discovered them.Collectively known as TLSStorm 2.0, the vulnerabilities could give attackers full control, often without authentication, of switches deployed in various enterprise networks, which are also used to isolate airports, hospitals, hotels and other organizations.
“Over the past few months, we have seen an increasing number of vulnerabilities in popular libraries, two of the most notable being Log4Shell and Spring4Shell,” Armis researchers said in their report. “While It’s clear that almost every software depends on external libraries, but these libraries introduce new risks to managed software. In the case of Mocana NanoSSL, the manual clearly states proper cleanup in case of connection errors, but We’ve seen multiple vendors not handling errors properly, resulting in memory corruption or state confusion errors.”
NanoSSL is a closed-source high-performance TLS library for embedded devices for over a decade.It was developed by Mocana, an IoT security company recently acquired by DigiCert.Armis researchers first discovered critical vulnerabilities dubbed TLStorm in APC SmartUPS devices, which stemmed from manufacturers failing to follow some implementation recommendations made by NanoSSL developers.
Often, implementation flaws are common when it comes to cryptographic libraries, and can provide a way to exploit known weaknesses in those libraries that rely on proper and secure implementations to mitigate.This is the case with the APC SmartUPS vulnerability, which is in the code that glues the vendor logic and NanoSSL library together.
While investigating the TLStorm vulnerability, Armis found dozens of devices using the NanoSSL library in its existing database of device profiles, some of which were network switches made by Aruba and Avaya.This led them to find the same library implementation issues and issues with similarly severe impacts in these devices.These new vulnerabilities are called TLSStorm 2.0.
For security reasons, network switches are often used to isolate virtual local area network (VLAN) segments from each other.For example, organizations often isolate guest networks (Wi-Fi or wired) from the larger corporate network, or isolate critical devices or servers within their own more restricted network segments that do not have additional without access from the wider corporate network.verify.
A common feature of authenticating network access is through so-called captive portals.These are essentially web pages displayed to newly connected users requiring them to authenticate or accept certain terms and conditions before gaining access to the Internet or other network resources.Captive portals are common in guest networks, both Wi-Fi and wired, in environments ranging from airports, hospitals, and hotels to coffee shops, apartment buildings, and business centers.
“Using the TLStorm 2.0 vulnerability, an attacker could abuse a captive portal and gain remote code execution through the switch without authentication,” said Armis researchers.”Once the attacker has control of the switch, he can completely disable the captive portal and connect freely to the corporate network.”
Once an attacker has control of the switch, they can also bypass network segmentation and hop from one VLAN to another.This allows lateral movement across networks and potential network segments that should be isolated from the Internet.
NanoSSL implementation bugs in Aruba switches can be exploited through TLS connections with captive portal functionality as well as through the RADIUS protocol.RADIUS is a client-server network authentication and authorization protocol used to provide centralized management of users accessing network services.The network switch includes a RADIUS client that connects to a central RADIUS server to request access to various resources.
“A vulnerability in the handling of RADIUS connections could allow an attacker to intercept a RADIUS connection through a man-in-the-middle attack to gain RCE through the switch without user interaction,” Armis researchers said.
Additionally, users of captive portals can take control of vulnerable switches prior to authentication.Since both issues stem from incorrect TLS connection handling via NanoSSL in Aruba switches, they are tracked together as CVE-2022-23677 (9.0 CVSS severity score).The researchers also discovered two memory corruption issues in the RADIUS client of Aruba switches that could lead to the execution of attacker-controlled data via a heap overflow.These are individually tracked as CVE-2022-23676 (9.1 CVSS score).
The Aruba switch models affected by these flaws are: Aruba 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series, and 2540 Series.
The vulnerabilities found in Avaya switches can be exploited through the web management portal, and none of them require authentication.A flaw with a severity score of 9.8 (CVE-2022-29860) is a heap overflow caused by TLS reassembly.This is due to improper validation of NanoSSL return values when processing POST requests to the web server.
A separate vulnerability in the HTTP header parsing of Avaya switches could also lead to an attacker-controlled stack overflow and remote code execution when handling multipart form data as well as non-null terminated strings.This is tracked separately as CVE-2022-29861 (9.8 CVSS score).
A third RCE vulnerability that did not receive a CVE ID was also found in the discontinued Avaya product line due to a missing bugcheck related to the NanoSSL library.Since the affected products are no longer maintained, the vulnerability is unlikely to receive a patch, but Armis data shows that affected devices are still in use in the wild.
Avaya devices affected by TLStorm 2.0 are: ERS3500 series, ERS3600 series, ERS4900 series, and ERS5900 series.
According to Armis, there is no indication that the TLStorm 2.0 vulnerability has been widely exploited, and both Aruba (HPE) and Avaya (Extreme Networks) have contacted customers and issued patches for most of the vulnerabilities.These are available through their respective customer support portals.
Additionally, Armis recommends implementing a network monitoring solution that can identify exploit attempts for these and other vulnerabilities and limit the attack surface of the device by blocking guest network access to its management portal or restricting it to dedicated management ports.
[Learn about the must-have capabilities of a modern cybersecurity architecture and the 7 principles of Zero Trust.| Subscribe to our newsletter to get the latest news from CSOs.]
Lucian Constantin is a CSO Senior Writer responsible for Information Security, Privacy, and Data Protection.
Post time: May-10-2022
