Security News > 2022 > May > Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches

Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches
2022-05-04 00:33

Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information.

The new set of flaws, dubbed TLStorm 2.0, renders Aruba and Avaya network switches vulnerable to remote code execution vulnerabilities, enabling an adversary to commandeer the devices, move laterally across the network, and exfiltrate sensitive data.

CVE-2022-23676 - Two memory corruption vulnerabilities in the RADIUS client implementation of Aruba switches.

CVE-2022-29860 - TLS reassembly heap overflow vulnerability in Avaya switches.

CVE-2022-29861 - HTTP header parsing stack overflow vulnerability in Avaya switches.

"These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure," Barak Hadad, head of research in engineering at Armis, said.


News URL

https://thehackernews.com/2022/05/critical-tlstorm-20-bugs-affect-widely.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-05-10 CVE-2022-23676 Out-of-bounds Write vulnerability in Arubanetworks products
A remote execution of arbitrary code vulnerability was discovered in ArubaOS-Switch Devices version(s): ArubaOS-Switch 15.xx.xxxx: All versions; ArubaOS-Switch 16.01.xxxx: All versions; ArubaOS-Switch 16.02.xxxx: K.16.02.0033 and below; ArubaOS-Switch 16.03.xxxx: All versions; ArubaOS-Switch 16.04.xxxx: All versions; ArubaOS-Switch 16.05.xxxx: All versions; ArubaOS-Switch 16.06.xxxx: All versions; ArubaOS-Switch 16.07.xxxx: All versions; ArubaOS-Switch 16.08.xxxx: KB/WB/WC/YA/YB/YC.16.08.0024 and below; ArubaOS-Switch 16.09.xxxx: KB/WB/WC/YA/YB/YC.16.09.0019 and below; ArubaOS-Switch 16.10.xxxx: KB/WB/WC/YA/YB/YC.16.10.0019 and below; ArubaOS-Switch 16.11.xxxx: KB/WB/WC/YA/YB/YC.16.11.0003 and below.
network
low complexity
arubanetworks CWE-787
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Avaya 72 0 29 25 6 60