Dive Brief:
- Researchers from Armis discovered critical vulnerabilities across enterprise grade routers and switches from HPE unit Aruba Networks and Extreme Networks’ Avaya unit that could impact millions of devices.
- Called TLStorm 2.0, the vulnerabilities, if exploited, are considered so serious they could allow a threat actor to gain remote code execution over potentially millions of devices, according to a blog post from Armis published Tuesday.
- The disclosures stem from the March discovery of similar vulnerabilities, called TLStorm, in APC Smart-UPS devices. Those critical vulnerabilities allow an attacker to take control of Smart-UPS devices and literally cause them to overload and go up in smoke.
Dive Insight:
The root cause of the vulnerability is the misuse of NanoSSL, a popular TLS library from Mocana, according to Armis researchers. Aruba and Avaya have switches vulnerable to remote code execution, which could allow an attacker to gain a dangerous level of access to affected devices.
An attacker could move laterally to other devices by changing the switch behavior as well as exfiltrate data from the internal network.
These network switching devices are commonly used across hospitals, hotels, airports and other organizations, according to Armis.
“Routers and switches pose significant risk due to their purpose — the backbone of every corporate network consists of routers and switches,” Barak Hadad, head of research at Armis, said via email. “These devices are often overlooked when examining the security posture of organizations, even though they are the enforcers of network segmentation.”
A similar vulnerability was found in the widely known Heartbleed bug in 2014, which involved a vulnerability in the OpenSSL cryptography library.
Researchers collaborated with both companies and there is no evidence of any attacks in the wild actually taking place.
HPE is aware of the vulnerability, and is working on a firmware update to address it, according to a spokesperson. The vulnerability impacts a limited number of switch models and firmware versions and the company is not aware of any exploitation involving Aruba customers.
“In the interim, we are advising customers using affected products to implement firewall controls to protect themselves,” according to the spokesperson.
Extreme Networks has shared information for customers to implement firmware upgrades.