Get in Touch
Please get in touch using the form below.
RCE in Aruba and Avaya network equipment
Overview
Researchers at Armis have documented some remote code execution (RCE) exploits against network equipment. The source of the issues is their implementation of the NanoSSL library. The affected devices do not follow the usage recommendations, leading to vulnerabilities.
The two vulnerabilities in Aruba (CVE-2022-23677, CVE-2022-23676) target the RADIUS client. Exploiting these would require the attacker to gain Machine in the Middle (MitM) access or a way to get the client to connect to a malicious RADIUS server.
The Avaya vulnerabilities are in the web management interface, which are simpler to exploit through HTTP requests.
Impact
A local network based attacker could take control of network switches, breaking network segmentation.
Affected Products
Avaya:
ERS3500 Series
ERS3600 Series
ERS4900 Series
ERS5900 Series
Aruba:
Aruba 5400R Series
Aruba 3810 Series
Aruba 2920 Series
Aruba 2930F Series
Aruba 2930M Series
Aruba 2530 Series
Aruba 2540 Series
Containment, Mitigations & Remediations
The researchers advise that affected organisations should restrict access to the management interface. That could be through blocking access from the guest network or restricting it to a dedicated management port.
Indicators of Compromise
None given.
Threat Landscape
Armis says affected customers have been notified, and patches that address most of the vulnerabilities have been issued.
Mitre Methodologies
T1210 – Exploitation of Remote Services
Further Information
TLStorm 2 – NanoSSL TLS library misuse leads to vulnerabilities in common switches