Patches issued for vulnerabilities arising from misuse of NanoSSL TLS library
Critical security vulnerabilities in the implementation of TLS encryption in a raft of popular network switches have put millions of devices deployed in enterprise and critical infrastructure environments at risk.
Security researchers unearthed five remote code execution (RCE) vulnerabilities affecting various Aruba and Avaya devices that could result in the exfiltration of network traffic or sensitive information, as well as breakage of network segmentation and lateral movement to additional devices.
The vulnerable models are deployed in a variety of contexts, including airports, hospitals, and hotels.
Researchers from IoT security firm Armis said they had found no indication that the vulnerabilities have been exploited.
Collectively dubbed ‘TLStorm 2.0’, the flaws arise from the misuse of Mocana’s NanoSSL TLS library, which accounted for another three vulnerabilities in other networking devices documented by Armis a few weeks ago.
Disclosed back in March, the ‘TLStorm 1.0’ flaws could enable attackers to cause physical damage to Schneider Electric’s APC Smart-UPS devices, which provide emergency backup power to network devices, as well as to connected devices.
Several Aruba switch models – series 5400R, 3810, 2920, 2930F, 2930M, 2530, 2540 – are said to be vulnerable to two of the latest flaws.
Tracked as CVE-2022-23677, and with a near-maximum CVSS score of 9.0, an RCE issue arises from mishandled TLS connections on the RADIUS authentication client and captive portal, a login web page governing access to network resources.
Consequently, an attacker could potentially intercept the RADIUS connection via a manipulator-in-the-middle (MitM) attack to gain RCE over the switch with no user interaction.
With a CVSS of 9.1, CVE-2022-23676 relates to two memory corruption vulnerabilities in the RADIUS client that lead to heap overflows of attacker-controlled data.
The other three RCE vulnerabilities are ‘zero-click’ issues affecting the web management portal of Avaya Series ERS3500, ERS3600, ERS4900, and ERS5900.
They include a pair of CVSS-9.8 rated issues, including a heap overflow (CVE-2022-29860) and stack overflow (CVE-2022-29861).
The third flaw, another heap overflow issue, affects a discontinued Avaya product line and therefore won’t be patched, although data allegedly shows that these devices can still be found in the wild, according to Armis.
Patches and mitigations
Most of the vulnerabilities have been patched, said Armis. A spokesperson for HPE, which owns Aruba, told The Daily Swig:
“HPE is aware of this issue, which impacts a limited number of switch models and firmware versions, and is working on a firmware update to address it. In the interim, we are advising customers using affected products to implement firewall controls to protect themselves. We are not aware of any exploitation of this vulnerability involving Aruba customers.
“For additional information, please see the security advisory.”
The Daily Swig has also invited Avaya researchers to comment. We will update this story if they respond.
‘Yet to be found’
Barak Hadad, head of research at Armis, told The Daily Swig that it was noteworthy that developers from three vendors, “working on completely different codebases, made the same mistake” in implementing NanoSSL incorrectly.
“We believe that other devices that misuse the NanoSSL library in the same way are yet to be found.”
He added that the TLStorm 2.0 flaws contradict the widely-held belief that network segmentation is “a bulletproof security mechanism”.
Armis researchers will discuss the TLStorm vulnerabilities at Black Hat Asia 2022 next week.
YOU MIGHT ALSO LIKE Path traversal flaw found in OWASP enterprise security testing library