Black Arrow Cyber Advisory 04/05/2022 – Avaya and Aruba Switch Vulnerability

Executive Summary

A set of five vulnerabilities named “TLStorm 2.0” have been discovered, affecting some network switches produced by Aruba and Avaya. The vulnerabilities could allow a malicious party to remotely execute code on the devices, allowing access to data flowing through the device or configuration control of the device which could lead to further attacks.

What’s the risk to me or my business?

Network switches are the backbone of IT infrastructure that allows data to flow from different devices. These switches also provide the ability to segregate data, such as having a separate guest and corporate network. If exploited, these vulnerabilities could allow a malicious attacker to bypass a guest network and gain access to the corporate network, which exposes corporate infrastructure to further attacks. There is currently evidence these vulnerabilities are being used in the wild.

What can I do?

Confirm with your managed service provider if affected devices are in use within your organisation, and if the appropriate patches have been supplied to the devices. It is important to remember all network devices when considering software and firmware patching, not just Windows endpoints. Other mitigation steps include limiting the potential attack service by denying management portal access on guest network ports or limiting this specifically to a dedicated management port.

Technical Summary

There are a total of five vulnerabilities disclosed affecting Avaya and Aruba switches. Only four of these vulnerabilities were given CVE’s, as the fifth vulnerability was only found on a discontinued product line. All the vulnerabilities relate to the NanoSSL library, and it’s implementation by the vendors on the network switches. It’s worth noting that the library itself does not contain the vulnerabilities, these vulnerabilities are present due to the vendor not following the correct implementation guidelines for the library.

Avaya - CVE-2022-29860, CVE-2022-29861

·         ERS3500 Series

·         ERS3600 Series

·         ERS4900 Series

·         ERS5900 Series

Aruba - CVE-2022-23677 and CVE-2022-23676

·         Aruba 5400R Series

·         Aruba 3810 Series

·         Aruba 2920 Series

·         Aruba 2930F Series

·         Aruba 2930M Series

·         Aruba 2530 Series

·         Aruba 2540 Series

Further details can be found here, under “Technical Overview”: TLStorm 2.0 - Armis

Need help understanding your gaps, or just want some advice? Get in touch with us.