Get in Touch
RCE in Aruba and Avaya network equipment
Researchers at Armis have documented some remote code execution (RCE) exploits against network equipment. The source of the issues is their implementation of the NanoSSL library. The affected devices do not follow the usage recommendations, leading to vulnerabilities.
The two vulnerabilities in Aruba (CVE-2022-23677, CVE-2022-23676) target the RADIUS client. Exploiting these would require the attacker to gain Machine in the Middle (MitM) access or a way to get the client to connect to a malicious RADIUS server.
The Avaya vulnerabilities are in the web management interface, which are simpler to exploit through HTTP requests.
A local network based attacker could take control of network switches, breaking network segmentation.
Aruba 5400R Series
Aruba 3810 Series
Aruba 2920 Series
Aruba 2930F Series
Aruba 2930M Series
Aruba 2530 Series
Aruba 2540 Series
Containment, Mitigations & Remediations
The researchers advise that affected organisations should restrict access to the management interface. That could be through blocking access from the guest network or restricting it to a dedicated management port.
Indicators of Compromise
Armis says affected customers have been notified, and patches that address most of the vulnerabilities have been issued.
T1210 – Exploitation of Remote Services
TLStorm 2 – NanoSSL TLS library misuse leads to vulnerabilities in common switches