Patch warning issued for Avaya, Aruba switches

Share post:

Network administrators with certain models of Extreme Networks Avaya, and HPE Aruba switches in their environments are urged to update the devices as soon as possible after the discovery of five critical software vulnerabilities. The problem, dubbed TLStorm 2.0, is in NanoSSL, a popular TLS library by Mocana included in login web pages displayed to newly-connected users on Wi-Fi or wired networks before they can access network resources. Vulnerabilities in this library affecting APC Smart-UPS power supplies, dubbed TLStorm were revealed in March. Using the TLStorm 2.0 vulnerabilities could allow an attacker to take full control over these switches, say researchers at Armis Inc., who discovered the vulnerabilities. They say exploitation of these vulnerabilities can lead to:
  • breaking of network segmentation, allowing lateral movement to additional devices by changing the behavior of the switch
  • data exfiltration of corporate network traffic or sensitive information from the internal network to the internet
  • escape from the web page (also called a captive portal).
Aruba devices affected by TLStorm 2.0 include
  • Aruba 5400R Series
  • Aruba 3810 Series
  • Aruba 2920 Series
  • Aruba 2930F Series
  • Aruba 2930M Series
  • Aruba 2530 Series
  • Aruba 2540 Series
Avaya devices affected include
  • ERS3500 Series
  • ERS3600 Series
  • ERS4900 Series
  • ERS5900 Series
Organizations deploying impacted Aruba devices should patch impacted devices immediately with patches in the Aruba Support Portal here. Organizations deploying impacted Avaya devices should check security advisories immediately in the Avaya Support Portal here. TLStorm 2.0 and the earlier TLStorm are vulnerabilities in the TLS communications protocols. TLStorm is three vulnerabilities in APC Smart-UPS power supplies made by Schneider Electric. “These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers,” say the Armis researchers, “meaning that network segmentation can no longer be considered a sufficient security measure.” Armis said the vulnerabilities are
  • CVE-2022-23677 (9.0 CVSS score) – NanoSSL misuse on multiple interfaces (remote code execution, or RCE). The NanoSSL library is used throughout the firmware of Aruba switches for multiple purposes. The two main use cases for which the TLS connection made using the NanoSSL library is not secure and can lead to RCE. A user of the captive portal can take control of the switch prior to authentication. A vulnerability in the RADIUS connection handling could allow an attacker that is able to intercept the RADIUS connection via a man-in-the-middle attack to gain RCE over the switch with no user interaction.
  • CVE-2022-23676 (9.1 CVSS score) – RADIUS client memory corruption vulnerabilities. RADIUS is an authentication, authorization, accounting (AAA) client/server protocol that allows central authentication for users who attempt to access a network service. The RADIUS server responds to access requests from network services that act as clients. The RADIUS server checks the information in the access request and responds with authorization of the access attempt, a rejection, or a challenge for more information. There are two memory corruption vulnerabilities in the RADIUS client implementation of the switch;  they lead to heap overflows of attacker-controlled data. This can allow a malicious RADIUS server, or an attacker with access to the RADIUS shared secret, to remotely execute code on the switch.
  • CVE-2022-29860 (CVSS 9.8) – TLS reassembly heap overflow. This is a similar vulnerability to CVE-2022-22805 that Armis found in APC Smart-UPS devices. The process handling POST requests on the webserver does not properly validate the NanoSSL return values, resulting in a heap overflow that can lead to remote code execution.
  • CVE-2022-29861 (CVSS 9.8) – HTTP header parsing stack overflow. An improper boundary check in the handling of multipart form data combined with a string that is not null-terminated leads to attacker-controlled stack overflow that may lead to RCE.
  • HTTP POST request handling heap overflow. A vulnerability in the handling of HTTP POST requests due to missing error checks of the Mocana NanoSSL library leads to a heap overflow of attacker-controlled length, which may lead to RCE. This vulnerability has no CVE because it was found in a discontinued Avaya product line, meaning no patch will be issued to fix this vulnerability, though Armis data shows these devices can still be found in the wild.
The post Patch warning issued for Avaya, Aruba switches first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Compel social media apps to toughen their privacy, trust practices, Parliament told

Committee hearing told social media apps can be exploited for propaganda and radi

Canada, U.S. sign international guidelines for safe AI development

Eighteen countries, including Canada, the U.S. and the U.K., today agreed on recommended guidelines to developers in their nations for the secure design, development, deployment, and operation of artificial intelligent systems. It’s the latest in a series of voluntary guardrails that nations are urging their public and private sectors to follow for overseeing AI in

Cyber Security Today, Nov. 27, 2023 – Ransomware gang posts data stolen from a Canadian POS provider, and more

This episode reports on the latest ransomware attacks, and details of how a gang that scams people selling used products on

Cyber Security Today, Week in Review for the week ending November 24, 2023

This episode features discussion on Australia's decision to not make ransowmare payments illegal, huge hacks of third-party service suppliers in Canada and the U.S. and whether email and smartphone service providers are doing enough to protect

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways