TLStorm 2.0 lets attackers escape a captive portal to take control of a switch.
Millions of network switches under the Aruba Networks and Avaya brands are vulnerable to a suite of heap overflow vulnerabilities discovered by researchers working for Armis.
Armis is the same organisation that recently discovered UPSs were vulnerable to what it dubbed TLStorm.
The switch vulnerabilities have the same ultimate source as TLStorm: the devices inherit bugs from the misuse of the Mocana NanoSSL library.
Aruba Networks is now an HPE company, while Avaya’s networking business was acquired by Extreme Networks in 2017*.
In its advisory, Armis said attackers can get remote code execution and full takeover of target devices.
That leads to breaking network segmentation, changing switch behaviour, data exfiltration, and captive portal escape.
“These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation can no longer be considered a sufficient security measure”, the advisory said.
Armis has a detailed technical post about “TLStorm 2.0” here, in which the company’s head of research in engineering Barak Hadad says millions of devices might be affected.
Aruba, Avaya respond
Aruba’s advisory explains its exposure is not only to the NanoSSL vulnerability (designated CVE-2022-23677) but also a Radius bug (CVE-2022-23676).
The company said both vulnerabilities requires the attacker to control a source of RADUIS access challenge messages, through which they would interact with the switch.
“Because of this, exploitation of these vulnerabilities would most likely occur as part of an attack chain building upon previous exploitation of customer controlled infrastructure”, the advisory states.
Affected switch models are the Aruba 5400R. 3810, 2920, 2930F, 2930M, 2530, and 2540, running various versions of the ArubaOS-Switch operating system.
Patched firmware is starting to ship for the RADIUS bug, and is expected soon for the NanoSSL bug.
Extreme Networks has issued two advisories as a result of the Armis work.
CVE-2022-29860 covers the TLS heap overflow, present in products using its BOSS operating system.
“The vulnerability is a heap overflow in the caller of the TLS packet reassembly code. Due to improper error handling, situations exist where this can lead to a heap overflow condition and potential remote code execution (RCE)”, the advisory states.
These are the ERS 4900/5900 switch (fixed), the ERS 3600 (fix coming in the second half of July 2022), and the ERS 3500 (fix coming later in May).
The other vulnerability, CVE-2022-29861, affects the same switches and has the same patch timeline.
“The vulnerability is a stack overflow in the HTTP Header parsing code in the webserver. The stack overflow condition can lead to a potential remote code execution (RCE)”, Extreme’s advisory states.
*Corrected: this article originally stated that Avaya was acquired by Extreme last year.