Home / About / Threat Intelligence / RCE in Aruba and Avaya network equipment

Overview

Researchers at Armis have documented some remote code execution (RCE) exploits against network equipment. The source of the issues is their implementation of the NanoSSL library. The affected devices do not follow the usage recommendations, leading to vulnerabilities.

The two vulnerabilities in Aruba (CVE-2022-23677, CVE-2022-23676) target the RADIUS client. Exploiting these would require the attacker to gain Machine in the Middle (MitM) access or a way to get the client to connect to a malicious RADIUS server.

The Avaya vulnerabilities are in the web management interface, which are simpler to exploit through HTTP requests.

Impact

A local network based attacker could take control of network switches, breaking network segmentation.

Affected Products

Avaya:

ERS3500 Series

ERS3600 Series

ERS4900 Series

ERS5900 Series

Aruba:

Aruba 5400R Series

Aruba 3810 Series

Aruba 2920 Series

Aruba 2930F Series

Aruba 2930M Series

Aruba 2530 Series

Aruba 2540 Series

Containment, Mitigations & Remediations

The researchers advise that affected organisations should restrict access to the management interface. That could be through blocking access from the guest network or restricting it to a dedicated management port.

Indicators of Compromise

None given.

Threat Landscape

Armis says affected customers have been notified, and patches that address most of the vulnerabilities have been issued.

Mitre Methodologies

T1210 – Exploitation of Remote Services

Further Information

TLStorm 2 – NanoSSL TLS library misuse leads to vulnerabilities in common switches