Armis researchers discovered five critical vulnerabilities in widely used switches from Aruba and Avaya. More than ten product series contain vulnerable implementations of the Transport Layer Security protocol. Some of the vulnerabilities allow attackers to take over switches without any authorization.
Transport Layer Security (TLS) is an encryption protocol for the communication of apps within a network. Manufacturers and developers implement the protocol to guarantee security. Sometimes, implementations guarantee the opposite. Armis researchers found five critical vulnerabilities in the TLS implementations of Aruba and Avaya switches.
The vulnerabilities allow attackers to remotely execute code on a switch (RCE). Most of the vulnerabilities can be exploited without any form of authorization. As a result, the most serious vulnerabilities received a rare CVE score of 9.8.
The vulnerabilities can be found in the following Avaya product series: ERS3500, ERS3600, ERS4900 and ERS5900. Aruba’s list is as follows: 5400R, 3810, 2920, 2930F, 2930M, 2530 and 2540. If your organization is working with one of these models, we urge you to navigate to the Aruba Support Portal or Avaya Support Portal as soon as possible. Armis worked with Aruba and Avaya to patch the vulnerabilities.
One of the vulnerabilities stems from a sloppy implementation of NanoSSL, a library for TLS. Aruba and Avaya use NanoSSL in drivers to connect switches to guest users. By guest users, we mean users who connect to a WiFi network for the first time and log in via a welcome page, also known as a ‘captive portal’. Think of public WiFi in trains or guest networks in offices. Although NanoSSL is supposed to encrypt traffic, its implementation fell short.
Armis named the vulnerabilities TLStorm 2.0, a sequel to TLStorm. TLStorm came to light in March. Armis announced it had found three vulnerabilities in APC Smart-UPS devices. Smart-UPS devices provide emergency power to network devices. Armis found vulnerable TLS implementations in APC’s models. The research laid the groundwork for the discovery of TLStorm 2.0.