Avaya Networking and Aruba Switches Vulnerable to TLStorm 2.0

In March 2022,  three vulnerabilities were found by Armis researchers in APC Smart-UPS devices and collectively named as TLStorm (Cyber Alert CC-4050). These vulnerabilities were centred around a misuse of a TLS library called NanoSSL.

Armis researchers discovered that Avaya and Aruba switches are also open to this same misuse of NanoSSL library and found five new critical vulnerabilities, collectively referred to as TLStorm 2.0. A remote, unauthenticated attacker could exploit these vulnerabilities, allowing remote code execution.

Affecting Avaya switches - web management portal

• CVE-2022-29860 (9.8 CVSS score) – TLS reassembly heap overflow.  The process handling POST requests on the web server does not properly validate the NanoSSL return values, resulting in a heap overflow that can lead to remote code execution.

• CVE-2022-29861 (9.8 CVSS score) – HTTP header parsing stack overflow. An improper boundary check in the handling of multipart form data combined with a string that is not null-terminated leads to attacker-controlled stack overflow that may lead to RCE.

• HTTP POST request handling heap overflow. A vulnerability in the handling of HTTP POST requests due to missing error checks of the Mocana NanoSSL library leads to a heap overflow of attacker-controlled length, which may lead to RCE. This vulnerability has no CVE because it was found in a discontinued product line of Avaya meaning no patch is going to fix this vulnerability.

Affecting Aruba switches

• CVE-2022-23677 (9.0 CVSS score) – NanoSSL misuse on multiple interfaces (RCE). The NanoSSL library mentioned above is used throughout the firmware of Aruba switches for multiple purposes. The two main use cases for which the TLS connection made using the NanoSSL library is not secure and can lead to RCE: 

  • Captive portal – A user of the captive portal can take control of the switch prior to authentication.
  • RADIUS authentication client – A vulnerability in the RADIUS connection handling could allow an attacker that is able to intercept the RADIUS connection via a man in the middle attack to gain RCE over the switch with no user interaction.

• CVE-2022-23676 (9.1 CVSS score) – RADIUS client memory corruption vulnerabilities

  • RADIUS is an authentication, authorization, accounting (AAA) client/server protocol that allows central authentication for users who attempt to access a network service. The RADIUS server responds to access requests from network services that act as clients. The RADIUS server checks the information in the access request, and responds with an authorization of the access attempt, a rejection, or a challenge for more information. 
  • There are two memory corruption vulnerabilities in the RADIUS client implementation of the switch;  they lead to heap overflows of attacker-controlled data. This can allow a malicious RADIUS server, or an attacker with access to the RADIUS shared secret, to remotely execute code on the switch.