Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

NanoSSL exploit

This thread has been viewed 56 times
  • 1.  NanoSSL exploit

    Posted May 03, 2022 08:48 AM
    Hi,
    Just read that there was a exploit found in de nanossl of the Aruba swithes.
    Which firmware does resolve this?
    TLStorm 2 - NanoSSL TLS library misuse leads to vulnerabilities in common switches
    Armis remove preview
    TLStorm 2 - NanoSSL TLS library misuse leads to vulnerabilities in common switches
    Armis has discovered five vulnerabilities in the implementation of TLS communications in multiple models of Aruba and Avaya switches. The vulnerabilities stem from a similar design flaw identified in the TLStorm vulnerabilities (discovered earlier this year by Armis) and expand the reach of TLStorm to potentially millions of additional enterprise-grade network infrastructure devices.
    View this on Armis >


    Kind regards,

    ------------------------------
    Thomas Willems
    ------------------------------


  • 2.  RE: NanoSSL exploit

    Posted May 03, 2022 05:53 PM
    The lists of affected versions and fixed versions can be found in the security advisory 


  • 3.  RE: NanoSSL exploit

    Posted May 04, 2022 12:51 PM
    Can anyone clarify the exposure and mitigation though?

    Is the malicious RADIUS access needed to exploit this, made unsolicited inbound to the switch, or does the switch has to be configured to make RADIUS requests in order for it to be exploited?  If the latter, then only connecting to trusted RADIUS servers is a reasonable mitigation which is implied/suggested by the announcement.

    If the connections can be unsolicited, are they mitigated by the AOS-S "ip authorized-managers" command?

    ------------------------------
    David Rickard
    ------------------------------



  • 4.  RE: NanoSSL exploit

    MVP GURU
    Posted May 04, 2022 02:17 PM
    Hi David, I'm not sure but - to me - it looks like the level of exposure is not directly tied only to RADIUS implementation (if any)...maybe I'm wrong but that's the opinion I formed by reading between the lines here and here.

    ------------------------------
    Davide Poletto
    ------------------------------



  • 5.  RE: NanoSSL exploit

    Posted May 05, 2022 03:45 AM
    Hi Davide, thanks for replying.   The armis web page describes a number of related but different vulnerabilities and applies to a bunch of different equipment.  The APC UPS issue refers to an attack vector involving their centralised management feature, but the armis website doesn't go into detail about the exploitationof the new one affecting Aruba, so for this I am going by the Aruba PSA:

    Exploitation of these vulnerabilities requires the interaction of an affected switch with an attacker controlled source of RADIUS access challenge messages. Because of this, exploitation of these vulnerabilities would most likely occur as part of an attack chain building upon previous exploitation of customer controlled infrastructure.

    Workaround

    ==========

    Aruba recommends implementing firewall controls to limit interactions of impacted switches with known good RADIUS sources.


    Which is why I am asking about the RADIUS connection detail.  This suggests that the connection is where a switch is configured with a RADIUS server that it calls out to, for authentication.  If that's the case then you would only be vulnerable if you configure your switches to connect out to a malicious or compromised server, which is clearly much less of a risk.

    ------------------------------
    David Rickard
    ------------------------------



  • 6.  RE: NanoSSL exploit

    Posted May 06, 2022 08:54 AM
    I have just posted this https://community.arubanetworks.com/community-home/digestviewer/viewthread?GroupId=67&MessageKey=36adae5a-eb15-49a1-b40d-e5ba6053b93a&CommunityKey=e1202040-11b3-4eea-9f57-d903f67db2f9&ReturnUrl=%2fcommunity-home%2fdigestviewer%3fcommunitykey%3de1202040-11b3-4eea-9f57-d903f67db2f9 as an example ACL for blocking access to RADIUS not sourced from or destined to the approved RADIUS server.

    My tests show this blocking bogus RADIUS, but test it - YMMV!

    ------------------------------
    Richard Litchfield
    Airheads MVP 2020, 2021, 2022
    ------------------------------



  • 7.  RE: NanoSSL exploit

    Posted May 05, 2022 01:01 PM
    I also want to know if its patched with te latest software for the 2940 and the 3810

    ------------------------------
    Peter Peterf
    ------------------------------