Threat Alert

by IthacaLabs™

THREAT LEVEL/Critical 04/05/2022

New Severe Vulnerabilities found in millions of Aruba and Avaya Switches

Threat Level Description

Threat Level: Critical – An attack is expected imminently. Maximum protective security measures to meet specific threats and to minimize vulnerability and risk. Critical may also be used if a terrorist attack is expected seeking to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the economy, and damage public morale and confidence.

Description

These vulnerabilities could allow an unauthenticated remote attacker to break of network segmentation, allowing lateral movement to additional devices by changing the behavior of the switch. Also, the attacker, by exploiting these issues could perform data exfiltration of corporate network traffic or sensitive information, from the internal network to the Internet, and/or escape the “Captive Portal”, the web page that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources.

The new set of flaws, named TLStorm 2.0, renders Aruba and Avaya network switches vulnerable to remote code execution, enabling an adversary to commandeer the devices, break network segmentation, move laterally across the network and exfiltrate sensitive data. Some of the vulnerabilities can be triggered with no authentication and user interaction, and that’s the reason they’re considered severe.

The “CVE-2022-23677” Aruba vulnerability exists due to a weakness in “NanoSSL”, a popular library by “Mocana” for the network security protocol (TLS), that can be exploited via a captive portal.

The second Aruba flaw, “CVE-2022-23676” is a RADIUS client memory-corruption vulnerability that it is possible to overflow heap memory in order to achieve remote-code execution. RADIUS is an authentication, authorization, and accounting client-server protocol that can be used to gain access to a network service.

The Avaya vulnerability “CVE-2022-29860” is a TLS reassembly heap overflow vulnerability that can lead to remote code execution. It occurs because the process handling POST requests on the webserver doesn’t properly validate “NanoSSL” return values.

The second Avaya bug “CVE-2022-29861” can lead to a stack overflow, during HTTP header parsing, which can be exploited to run arbitrary malicious code, remotely, on the switch. This vulnerability, is caused due to an improper boundary check in the handling of multipart form data combined with a string that is not null-terminated.

Lastly, the third Avaya vulnerability occurs in the handling of HTTP POST requests. The NanoSSL library doesn’t perform an error check, and this leads to an exploitable heap overflow. A CVE has not been assigned since it occurs in a discontinued Avaya product line. Thus, Avaya won’t be issuing a patch.

It is notable, that none of the three Avaya vulnerabilities require any kind of authentication to exploit.
The TLStorm 2.0 findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure.

CVE(s)

N/A

Affected Systems

  • Aruba devices affected by TLStorm 2.0 include:
  • • Aruba 5400R Series
  • • Aruba 3810 Series
  • • Aruba 2920 Series
  • • Aruba 2930F Series
  • • Aruba 2930M Series
  • • Aruba 2530 Series
  • • Aruba 2540 Series
  • Avaya devices affected by TLStorm 2.0 include:
  • • ERS3500 Series
  • • ERS3600 Series
  • • ERS4900 Series
  • • ERS5900 Series

Recommendation(s)

You should immediately proceed and implement the relevant patches provided respectively from Aruba and Avaya vendors.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

References

Get the latest Threat Alerts in your inbox.