Vulnerabilities in widely used network switches
Armis, the leading provider of a unified platform for asset visibility and security, has released five critical vulnerabilities, known as TLStorm 2.0. These are vulnerabilities in the implementation of TLS communication in several models of network switches. They are based on a similar design flaw identified in the TLStorm vulnerabilities (discovered by Armis earlier this year) and extend TLStorm’s reach to millions more enterprise network infrastructure devices.
In March 2022, Armis made TLStorm known for the first time – three critical vulnerabilities in smart-UPS devices from APC. The vulnerabilities allowed an attacker to gain control of smart-UPS devices from the Internet without the user having to intervene, resulting in the UPS becoming overloaded and eventually self-destructing in a cloud of smoke. The main cause of these vulnerabilities was an abuse of NanoSSL, a popular TLS library from Mocana. Using the Armis Device Knowledgebase – a database of more than two billion assets – Armis security researchers identified dozens of devices using Mocana’s NanoSSL library. The results include not only APC’s smart-UPS devices, but also two popular network switch providers that are affected by a similar implementation error of the library. While UPS devices and network switches differ in their function and the degree of trust within the network, the underlying TLS implementation problems can have devastating consequences.
The new TLStorm 2.0 study reveals vulnerabilities that could allow an attacker to take complete control of network switches used in airports, hospitals, hotels and other organizations around the world. The affected manufacturers are Aruba (acquired by HPE) and Avaya Networking (acquired by Extreme Networks). The security researchers found switches at both manufacturers that are vulnerable to remote code execution (RCE) vulnerabilities that can be exploited over the network, which leads to the following:
- Breaking the network segmentation so that it is possible to spread to other devices by changing the switch behavior
- Data exfiltration of corporate network traffic or sensitive information from the internal network into the Internet
- Escape from the “Captive Portal”
These research results are noteworthy in that they make it clear that the network infrastructure itself is at risk and can be exploited by attackers. This in turn means that network segmentation alone is no longer sufficient as a security measure.
Barak Hadad, Head of Research at Armis
“The security research at Armis is driven by a simple goal: to identify emerging security threats in order to provide our customers with continuous protection in real time,” says Barak Hadad, Head of Research at Armis . “The TLStorm vulnerabilities are a prime example of threats to assets that were previously not visible to most security solutions and show that network segmentation is no longer sufficient and proactive network monitoring is essential. Armis security researchers will continue to investigate assets in all environments to ensure that our knowledge base of more than two billion assets provides all our partners and customers with the latest threat defenses.“
A captive portal is the web page that is displayed to newly connected users of a Wi-Fi or wired network before they are granted more extensive access to network resources. Captive portals are commonly used to present a login page that requires authentication, payment, or other valid credentials that both the host and the user agree to. Captive portals provide access to a wide range of mobile and “pedestrian” broadband services, including wired and commercially provided Wi-Fi and home hotspots, as well as wired networks in enterprises or private homes, for example, in apartment complexes, hotel rooms and business centers.
By exploiting the TLStorm 2.0 vulnerabilities, an attacker can abuse the Captive Portal and gain remote code execution via the switch without the need for authentication. Once the attacker has gained control of the switch, he can completely disable the captive Portal and enter the corporate network laterally.
Vulnerability details and affected device types
- CVE-2022–23677 (CVSS Score 9.0) – NanoSSL abuse at Various Interfaces (RCE)
- The NanoSSL library mentioned above is used in the firmware of Aruba switches for several purposes. There are two main use cases where the TLS connection made with the NanoSSL library is not secure and can lead to RCE:
- Captive Portal – A user of the Captive Portal can take control of the switch before authentication.
- RADIUS Authentication Client – A vulnerability in the RADIUS connection check could allow an attacker to intercept the RADIUS connection via a man-in-the-middle attack and obtain an RCE over the switch without user interaction.
- CVE-2022-23676 (CVSS Score 9.1) – RADIUS Client Memory Corruption Vulnerabilities
- RADIUS is a client/server authentication, authorization, and billing (AAA) protocol that enables centralized authentication of users attempting to access a network service. The RADIUS server responds to access requests from network services that act as clients. The RADIUS server checks the information in the access request and responds by approving the access attempt, rejecting it, or requesting further information.
- There are two memory corruption vulnerabilities in the RADIUS client implementation of the switch; they lead to heap overflows of data controlled by attackers. This can allow a malicious RADIUS server or an attacker with access to the shared RADIUS secret to remotely execute code on the switch.
Aruba devices affected by TLStorm 2.0:
- Aruba 5400R Series
- Aruba 3810 Series
- Aruba 2920 Series
- Aruba 2930F Series
- Aruba 2930M Series
- Aruba 2530 Series
- Aruba 2540 Series
Vulnerabilities in the Avaya Management Interface before authentication
The attack surface for all three vulnerabilities of the Avaya switches is the web management portal, and none of the vulnerabilities require any kind of authentication, which makes them a zero-click vulnerability group.
- CVE-2022-29860 (CVSS Score 9.8) – TLS Reassembly Heap Overflow
- This is a similar vulnerability to CVE-2022-22805 that Armis found in APC smart-UPS devices. The process that handles POST requests on the web server is not validating the NanoSSL return values properly, resulting in a “heap overflow” that can lead to remote code execution.
- CVE-2022-29861 (CVSS Score 9.8) – HTTP Header Parsing Stack Overflow
- Improper boundary checking when handling multipart form data in combination with a non-null-terminated string results in an attacker-controlled “stack overflow” that can lead to an RCE.
- HTTP POST Request Handling Heap Overflow
- A vulnerability in the handling of HTTP POST requests due to the lack of error checks of the Mocana NanoSSL library leads to a “heap overflow” with attacker-controlled length, which can lead to an RCE. This vulnerability does not have a CVE because it was found in a discontinued Avaya product line. This means that no patch will be issued to fix this vulnerability, although data from Armis shows that these devices can still be found in the wild.
Avaya devices affected by TLStorm 2.0:
- ERS3500 Series
- ERS3600 Series
- ERS4900 Series
- ERS5900 Series
Updates and remedies
Aruba and Avaya have been working with Armis on this matter, and customers have been notified and received patches to fix most of the vulnerabilities. To Armis’ knowledge, there is no evidence that the TLStorm 2.0 vulnerabilities have been exploited. Companies using affected Aruba devices should immediately patch the affected devices with patches from the Aruba Support Portal here. Companies using affected Avaya devices should immediately check the safety instructions in the Avaya Support Portal here. Armis customers can immediately identify which devices are vulnerable in their environments and start fixing the vulnerabilities