TLStorm 2.0 Flaws Leave Aruba, Avaya Switches Vulnerable
A handful of vulnerabilities in the implementation of TLS communications in Aruba and Avaya switches extend TLStorm flaws first discovered in March to millions of enterprise-grade network infrastructure devices.
By exploiting these latest five vulnerabilities, miscreants can take over Smart-UPS devices via the internet without the benefit of user interaction, making “the UPS literally go up in smoke,” according to Armis, which discovered the most recent flaws as well as those disclosed in March.
Researchers identified dozens of devices using Mocana NanoSSL, including devices from Aruba and Avaya, that are affected by the same misuse of the NanoSSL library. These switches are susceptible to remote code execution (RCE) vulnerabilities, called TLStorm 2.0, exploited over the network.
If attackers exploited the flaws, they could break network segmentation and allow “lateral movement to additional devices by changing the behavior of the switch” as well as exfiltrate data from corporate network traffic or data from internal networks to the internet. Exploitation also can result in captive portal escape,”Armis researchers said.
Significantly, “network segmentation alone is no longer sufficient as a security measure,” Armis researchers wrote in a blog post.
The vulnerabilities are particularly problematic because they are found in the TLS layers, expanding their potential reach and impact. When the TLS layer “is found to contain critical vulnerabilities, all applications that utilize it may become vulnerable as well,” the researchers said, as “was the case in 2012, when the Heartbleed vulnerability was discovered—a critical vulnerability in OpenSSL that affected, at the time, 17% of all secure web servers on the internet. This is a result of the prominence of OpenSSL—powering the TLS layer of an endless number of applications—from web servers to email servers to SSH connections and so forth.”
Because there are challenges in analyzing and assessing embedded closed-source TLS, they’ve been left unexamined by researchers, “so almost no significant vulnerabilities in embedded TLS libraries have been discovered to date,” the researchers wrote.
The root cause for two critical TLStorm vulnerabilities in the TLS implementation used in APC’s SmartUPS were “flaws in the NanoSSL library that were applicable when certain guidelines were not properly followed by the vendor using the library,” the researchers said. “The vulnerabilities themselves lay within the glue-logic—the code that glues together the vendor logic and the NanoSSL library. When this code fails to adhere to certain guidelines specified in the NanoSSL manual, an edge case that leads to remote code execution can arise.”
The researchers noted that while “the immediate effect of the TLStorm 2.0 vulnerabilities is the full takeover of the connected switch,” other implications “vary based on network segmentation configurations.”
When connecting to a network, users often must first pass through a captive portal; once through, they can access the internet or internal corporate networks.
“Using the TLStorm 2.0 vulnerabilities, an attacker can abuse the captive portal and gain remote code execution over the switch with no need for authentication,” the researchers said. Once attackers take control over the switch, they “can disable the captive portal completely and connect freely to the corporate network.”
In another scheme, attackers could use the TLStorm 2.0 vulnerabilities to break network segmentation used to secure corporate networks. “An attacker that gains a foothold in the guest VLAN is limited and can’t access the corporate VLAN,” Armis researchers wrote. “Using the TLStorm 2.0 vulnerabilities, an attacker is able to take control of the core switch and move from the guest VLAN to the corporate VLAN.”
The discovery of this latest set of vulnerabilities underscores the importance of paying attention to identity and not relying to heavily on zero-trust.
“If a hacker has full control over an enterprise switch, other controls, especially those around network access control and zero-trust can be circumvented,” said Garret Grajek, CEO at YouAttest. “It is imperative that enterprises have access controls above the network layers—e.g. at identity and access control, at the applications and the data resources. Identity governance plays a large part in knowing who has access to what resource.”
