[ad_1]
Security researchers have discovered five vulnerabilities in Aruba (owned by HP) and Avaya (owned by ExtremeNetworks) networking equipment, which could allow malicious actors to remotely execute code on the devices.
The damage caused by a successful attack ranges from a data breach and complete device takeover to lateral movement and defeat of network segmentation defenses.
Security researchers at cybersecurity firm Armis, which specializes in connected devices, dubbed the set of vulnerabilities “TLStorm 2.0,” as the discovery falls into the same class of problems as the misuse of the NanoSSL TLS library, which reported on the popular APC UPS models.
The analysts found that devices from other vendors have identical security risks and provided a list of affected products:
- Avaya ERS3500
- Avaya ERS3600
- Avaya ERS4900
- Avaya ERS5900
- Aruba 5400R Series
- Aruba 3810 Series
- Aruba 2920 Series
- Aruba 2930F Series
- Aruba 2930M Series
- Aruba 2530 Series
- Aruba 2540 Series
External libraries on switches
Network switches are common fixtures in corporate networks, helping enforce segmentation, a security practice that’s critical these days in larger environments.
Its function is to act as a network bridge, connecting devices to the network and using packet switching and MAC addresses to receive and forward data to the destination device.
Using external libraries is often a convenient and cheap solution, but sometimes this leads to implementation errors and security issues.
This practice motivates hackers to investigate these small building blocks to find potentially exploitable flaws.
In the case of TLStorm 2.0, the cause of the problem is that the “sticker logic” code used by providers does not comply with NanoSSL guidelines, leading to possible RCE (remote code execution).
In Aruba, NanoSSL is used for the Radius authentication server and also for the captive portal system. The way it has been implemented can lead to attacker data spills.
In Avaya, the library implementation has three flaws, a TLS reassembly heap overflow, an HTTP header parsing stack overflow, and an HTTP POST request handling overflow.
Problems arise from missing error checks, missing validation steps, and incorrect bounds checks.
These problems are not with the library itself, but with the way the vendor implemented it.
attack scenarios
Armis presents two main exploitation scenarios that allow escaping a captive portal or breaking network segmentation, both opening the way for high-impact cyberattacks.
In the captive portal scenario, the attacker accesses a web page from a limited network resource that requires authentication, payment, or some other form of access token. These captive portals are typically found in hotel networks, airports, and business centers.
By exploiting TLStorm 2.0, the attacker can remotely execute code on the switch, bypassing captive portal restrictions or even disabling it altogether.
In the second scenario, an attacker can use the vulnerabilities to break network segmentation and gain access to any part of the IT network, moving freely from the “guest” space to the “corporate” segment.
Remediation
Armis informed Aruba and Avaya about the TLStorm 2.0 vulnerabilities three months ago and collaborated with them on a technical level.
Threat analysts told BleepingComputer that affected customers have been notified and patches have been issued that address most of the vulnerabilities.
Additionally, Armis told us that they are not aware of the TLStorm 2.0 vulnerabilities being exploited.
[ad_2]