Security News > 2022 > May > Critical vulnerabilities found in 'millions of Aruba and Avaya switches'

Five critical remote code execution vulnerabilities in millions Aruba and Avaya devices can be exploited by cybercriminals to take full control of network switches commonly used in airports, hospitals, and hotels, according to Armis researchers.

The flaws affect about 10 million devices across HPE's Aruba and Extreme Networks' Avaya switching portfolio, and have severity scores ranging from 9.0 to 9.8 out of 10.

TLStorm 2.0 follows the discovery and patching of TLStorm: three critical vulnerabilities said to be in millions of Schneider Electric APC Smart-UPS products.

One of the Aruba vulnerabilities, CVE-2022-23677, which received a 9.0 out of 10 CVSS score is due to a weakness in NanoSSL that can be exploited via a captive portal.

The attack surface for the Avaya switches is the web management portal, and none of its three vulnerabilities require any kind of authentication to exploit.

The second critical Avaya bug, CVE-2022-29861, can lead to a stack overflow during HTTP header parsing, which can be exploited to run arbitrary malicious code remotely on the switch.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/03/aruba_avaya_critical_vulns/