The Aruba 2930M (Image: Aruba Networks)
Several models of network switches across two major manufacturers suffer similar implementation problems of the same SSL library. Armis, the security firm that discovered the problem, had previously discovered similar problems in APC power supplies, and worries this problem will not be limited to power and networking.
“I can say approximately 50- or 60 percent of the devices we’ve checked using NanoSSL are vulnerable to the same type of vulnerabilities because it’s very easy to make these mistakes,” said Barak Hadad, head of research at Armis.
Mocana’s NanoSSL library is widely used in internet of things (IoT) devices. Armis has not identified any problems in the library itself. Instead, the problems occur when data returned from the library is not properly validated and errors are not handled properly. Hadad said that the requirements for implementation are accurately described in the manuals for NanoSSL.
“But we all know developers. No one reads the manuals,” said Hadad.
Armis worked with Mocana to make NanoSSL harder to misuse, both within the code and through vendor alerts. But legacy products may already have problems.
Armis is calling the switch vulnerabilities “TLStorm2.0.” There are five CVEs in total, two in Aruba and three in Avaya.
The TLStorm2.0 bugs affected models from the Aruba product series 2530, 2540, 2920, 2930F, 2930M, 5400R, and 3810 and Avaya series ERS3500, ERS3600, ERS4900 and ERS5900.
The issues identified could be severe. Two of the issues identified in Avaya