Thousands of airports, hospitals and hotels affected by critical vulnerabilities in Aruba and Avaya switches

Five critical remote code execution (RCE) vulnerabilities have been confirmed to be found in millions of Aruba and Avaya devices whose exploitation would allow threat actors to take control of the network switches used in all kinds of facilities, including hospitals, hotels and airports.

Researchers at security firm Armis dubbed this set of flaws as TLStorm 2.0, mentioning that the bugs exist due to some security weaknesses in NanooSSL, a TLS library developed by Mocana and employed by vulnerable network teams.

Barak Hadad, in charge of the research, mentions that the flaws affect about 10 million devices in HPE’s Aruba and Extreme Networks’ Avaya switch portfolio, and received scores between 9/10 and 9.8/10 according to the Common Vulnerability Scoring System (CVSS).

If exploited, the vulnerabilities would allow threat actors to alter the behavior of affected devices for side-moving attacks and theft of sensitive information. So far, no active exploitation attempts have been detected, which allowed the updates to be developed properly.

On security flaws, Aruba switches are affected by CVE-2022-23677, with a CVSS score of 9/10. This flaw exists due to a bug in NanoSSL, which can be exploited through a captive portal. A second bug in Aruba switches (CVE-202-23676) was described as a customer memory corruption in RADIUS, which received a CVSS score of 9.1/10.

The list of affected Aruba switches includes:

  • Aruba 5400R Series
  • Aruba 3810 Series
  • Aruba 2920 Series
  • Aruba 2930F Series
  • Aruba 2930M Series
  • Aruba 2530 Series
  • Aruba 2540 Series

Moreover, Avaya products are affected by CVE-2022-29860, a TLS reassembly heap overflow bug that received a CVSS score of 9.8/10. In addition, CVE-2022-29861 could cause a stack overflow during HTTP header scanning, which can be leveraged to execute arbitrary malicious code remotely on Avaya switches.

TLStorm 2.0 flaws exist in the following Avaya products:

  • ERS3500 Series
  • ERS3600 Series
  • ERS4900 Series
  • ERS5900 Series

Administrators of affected deployments are encouraged to address detected vulnerabilities promptly to mitigate exploit risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.