Critical vulnerabilities in millions of Avaya and Aruba switches could allow attackers to gain control and breach private networks with no authentication – and patches are not yet available for all devices.
Patched firmware for some Aruba and Avaya switch vulnerabilities is available – but some switches definitely won’t see patches until July. Some vulnerable Avaya switches have been discontinued, and Avaya will not issue a patch for these.
The Aruba and Avaya switch vulnerabilities, dubbed TLStorm 2.0 by the researchers at Armis Security who documented them, stem from equipment vendors not following guidelines for using the Mocana NanoSSL library. In March Armis disclosed how the same library – also misconfigured by equipment manufacturers – could allow attackers to gain access to APC smart UPS devices.
NanoSSL is a widely-used proprietary TLS library, which is pitched by its owner Mocana as being more secure than the open-source OpenSSL library.
"The root cause for these vulnerabilities was flaws in NanoSSL library, that were applicable when certain guidelines were not properly followed by the vendor using the library," said Barak Hadad, head of research at Armis, in a blog post.
"The vulnerabilities themselves lay within the glue-logic – the code that glues together the vendor logic and the NanoSSL library. When this code fails to adhere to certain guidelines specified in the NanoSSL manual, an edge case that leads to remote code execution can arise."
See also: The 10 most-exploited vulnerabilities of 2021: Not patched? Likely pwned…
Armis estimates around 10 million devices used by large organisations around the world could be affected by the Avaya and Aruba switch vulnerabilities – though the company said it was not aware of any in-the-wild exploits.
While exploitation of the vulnerabilities would require local access to a network using an affected switch, this could be as simple as accessing a guest Wi-Fi network.
Once an attacker has access to the guest network, they can use an exploit to move beyond and disable a captive portal – commonly used on networks designed to be accessed by the public – and gain access to private VLANs, or change the configuration of a VLAN. After this, an attacker could have wide access to a network and devices on it.
“These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure,” said Hadad.
Avaya and Aruba switch vulnerabilities remain unpatched
Affected devices include Avaya ERS3500, ERS3600, ERS4900 and ERS5900 series switches. Aruba devices affected include 5400R, 3810, 2920, 2930F, 2930M, 2530 and 2540 series switches.
“The attack surface for all three vulnerabilities of the Avaya switches is the web management portal and none of the vulnerabilities require any type of authentication, making it a zero-click vulnerability group,” said Hadad.
The Avaya switch vulnerabilities are:
- CVE-2022-29860 (9.8 CVSS score) – TLS reassembly heap overflow.
The POST request handler does not validate NanoSSL return values correctly, leading to a heap overflow allowing RCE. - CVE-2022-29861 (9.8 CVSS score) – HTTP header parsing stack overflow.
An improper boundary check on multi-part form data along with a string which is not null-terminated leads to an attacker-controlled stack overflow which could allow RCE. - HTTP POST request handling heap overflow (no CVE assigned as this only affects discontinued products, which Avaya will not patch and has not disclosed – although Armis notes affected devices remain in use)
"Avaya doesn't share the models of the discontinued devices. My recommendation for users of discontinued Avaya product is to assume that their switches are vulnerable," Hadad told The Stack.
Updated firmware for ERS 4900/5900 series devices is available now. Patched firmware for ERS 3500 devices will arrive by the second half of May, and firmware for ERS 3600 devices by the second half of July.
The Aruba switch vulnerabilities are:
- CVE-2022-23677 (9.0 CVSS score) – NanoSSL misuse on multiple interfaces (RCE).
The TLS connection made using NanoSSL is not secure, and can lead to captive portal takeover, or MITM interception of a RADIUS connection leading to RCE. - CVE-2022-23676 (9.1 CVSS score) – RADIUS client memory corruption vulnerabilities.
A malicious RADIUS server, or an attacker with access to the RADIUS shared secret, could force a heap overflow, allowing code to be remotely executed on the switch.
Firmware patching CVE-2022-23676 is available for most Aruba devices, with patches for ArubaOS-Switch 15.16.xxxx and 16.04.xxxx pending.
Currently patches mitigating CVE-2022-23677 are “pending” according to Aruba’s advisory.
Other than patching the Avaya and Aruba switch vulnerabilities, Armis recommends actively monitoring networks for anomalous behaviour, and limiting the attack surface by blocking exposure of management portals to guest networks, or limiting it to a dedicated management port.
Aruba owner HPE told The Stack it would have a patch ready "as soon as possible".
A HPE spokesperson said: "HPE is aware of this issue, which impacts a limited number of switch models and firmware versions, and is working on a firmware update to address it. In the interim, we are advising customers using affected products to implement firewall controls to protect themselves. We are not aware of any exploitation of this vulnerability involving Aruba customers."
A spokesperson for Extreme Networks, owner of the Avaya networking business, said: “Once the vulnerability was discovered we worked quickly to provide a patch to protect our customers. Customers are protected if they upgrade to BOSS 7.9.2. Additional Patches are scheduled to be released later this month and in July for the products listed on the Security Notices. The patch will mitigate the risk of the vulnerability but we’d advise customers to maintain best practices across their network, including limiting and controlling what devices and IPs can get to switches over HTTP/HTTPS.”
Updated on 5 May 2022 to add statement from Extreme Networks.
