RCE vulnerabilities found in Avaya, Aruba network switches

Five critical vulnerabilities in Aruba and Avaya network switches are capable of remote code execution, according to new Armis research published Tuesday.

IoT security vendor Armis dubbed the series of flaws "TLStorm 2.0," referring to the fact that the misuse of a TLS library -- NanoSSL -- is the root cause of them. All five are critical; two (CVE-2022-23677 and CVE-2022-23676) affect Aruba network switches, and three (CVE-2022-29860, CVE-2022-29861 and a third that lacks a CVE) affect Avaya switches.

Armis, which discovered the flaws, detailed all five in a technical blog post. The vendor previously discovered the TLStorm series of vulnerabilities, which could be exploited via a malicious TLS packet to ignite APC Smart-UPS devices.

Barak Hadad, head of research in engineering at Armis, wrote in the blog post that TLStorm 2.0 resulted from the discovery that the NanoSSL flaws originally found in TLStorm also affected other vendors.

"The root cause for these vulnerabilities was flaws in NanoSSL library, that were applicable when certain guidelines were not properly followed by the vendor using the library," Hadad wrote. "The vulnerabilities themselves lay within the glue-logic -- the code that glues together the vendor logic and the NanoSSL library. When this code fails to adhere to certain guidelines specified in the NanoSSL manual, an edge case that leads to remote code execution can arise."

Though the ways the Aruba and Avaya vulnerability subsets work slightly differ, both allow an attacker to break network segmentation and execute code remotely.

For example, Aruba's flaws include a memory corruption vulnerability and one that enables an attacker to escape a network's captive portal. Avaya's, meanwhile, are zero-click vulnerabilities that use the web management portal to enable threat actor-controlled stack overflow and heap overflow.

One of the Avaya vulnerabilities was not given a CVE because it was found in a discontinued product line. But Hadad noted in his post that "Armis data shows these devices can still be found in the wild."

Affected Aruba devices include the 5400R, 3810, 2920, 2930F, 2930M, 2530 and 2540 series. For Avaya products, which are now owned by Extreme Networks, the ERS3500, ERS3600, ERS4900 and ERS5900 series are affected by TLStorm 2.0. Patches are available for all affected devices except the discontinued Avaya line.

Hadad told SearchSecurity that it was "not too hard to develop an exploit" for the vulnerabilities, though it depends on the network switch model.

"The exploitability depends on the specific model and specific configuration," he said. "For example, in the case of the Aruba switches, the user can block the management portal on some of the switch ports and limit the attack surface significantly."

Armis said in a press release that to the best of its knowledge, there is "no indication" of TLStorm 2.0 flaws being exploited in the wild. A spokesperson for Aruba parent company Hewlett Packard Enterprise likewise told SearchSecurity there was no indication of exploitation.

Alexander Culafi is a writer, journalist and podcaster based in Boston.