Five critical remote code execution vulnerabilities in millions Aruba and Avaya devices can be exploited by cybercriminals to take full control of network switches commonly used in airports, hospitals, and hotels, according to Armis researchers.

The security firm discovered the bugs, collectively called TLStorm 2.0, and said they stem from insecurities in NanoSSL, a TLS library developed by Mocana that’s used in the vulnerable network equipment.

“Some of the vulnerabilities can be triggered with no authentication, no user interaction, and that’s why they’re so severe,” Armis’ head of research Barak Hadad told The Register.

The flaws are said to affect about 10 million devices across HPE’s Aruba and Extreme Networks’ Avaya switching portfolio, and have severity scores ranging from 9.0 to 9.8 out of 10. If exploited, miscreants can abuse these vulnerabilities to change the behavior of a switch, move laterally to other devices, potentially steal corporate data, and so on.

Armis security researchers aren’t aware of any in-the-wild exploits, and they worked quickly with both vendors to develop software fixes for the bugs. 

TLStorm 2.0 follows the discovery and patching of TLStorm: three critical vulnerabilities said to be in millions of Schneider Electric APC Smart-UPS products. Armis publicly disclosed that vulnerability family last month. In addition to the usual nefarious activities, such as exfiltrating sensitive data from connected devices or deploying malware on the network, exploiting TLStorm on APC UPS machines could result in power outages.

Besides the ones named so far, Hadad expects to find more vulnerable devices relying on NanoSSL.

“We know that Avaya, Aruba, and APC are vulnerable. And we’ve been working with them to make sure that their devices will not be vulnerable in the future,” he said. “But I’m pretty sure there are other vendors that are vulnerable to this.”

Exploiting captive portals

Captive portals are the webpages you usually see the first time you try to connect to a Wi-Fi or wired network at an airport, hotel, hospital, business center, and so on. These may require authentication, payment, or some type of user agreement before providing access to the internet and other services.

When the vulnerable network equipment uses NanoSSL to present a captive portal, criminals can exploit the TLStorm 2.0 vulnerabilities to gain remote code execution, with no need for authentication. And once they control that switch hardware, they can disable the captive portal as well as explore the network for systems to attack, Hadad explained.

One of the Aruba vulnerabilities, CVE-2022-23677, which received a 9.0 out of 10 CVSS score is due to a weakness in NanoSSL that can be exploited via a captive portal. A second Aruba flaw, CVE-2022-23676, is a RADIUS client memory-corruption vulnerability; it is possible to overflow heap memory via this bug to achieve remote-code execution. It received a 9.1 CVSS score. RADIUS is an authentication, authorization, and accounting client-server protocol that can be used to gain access to a network service.

Aruba devices affected by TLStorm 2.0 include:

• Aruba 5400R Series
• Aruba 3810 Series
• Aruba 2920 Series
• Aruba 2930F Series
• Aruba 2930M Series
• Aruba 2530 Series
• Aruba 2540 Series

Organizations deploying vulnerable Aruba products should patch impacted devices immediately.

Avaya pre-auth vulns

Meanwhile, the attack surface for the Avaya switches is the web management portal, and none of its three vulnerabilities require any kind of authentication to exploit.

“These are zero-click vulnerabilities that can be exploited over the network with no user interaction,” Hadad said. 

CVE-2022-29860, which received a CVSS score of 9.8, is a TLS reassembly heap overflow that can lead to remote code execution. It occurs because the process handling POST requests on the webserver doesn’t properly validate NanoSSL return values.

The second critical Avaya bug, CVE-2022-29861, can lead to a stack overflow during HTTP header parsing, which can be exploited to run arbitrary malicious code remotely on the switch. This vuln, which also received a 9.8 CVSS score, is due to an “improper boundary check in the handling of multipart form data combined with a string that is not null-terminated,” Armis explained.

And finally the third Avaya vulnerability occurs in the handling of HTTP POST requests. The NanoSSL library doesn’t perform an error check, and this leads to an exploitable heap overflow. This one doesn’t have a CVE because it occurs in a discontinued Avaya product line. Because it’s discontinued, Avaya won’t be issuing a patch, and Armis says these devices are still being used.

Avaya devices affected by TLStorm 2.0 include:

• ERS3500 Series
• ERS3600 Series
• ERS4900 Series
• ERS5900 Series

Organizations can check Extreme’s security advisory page for more information about patches for impacted Avaya devices. ®