Several models of network switches across two major manufacturers suffer similar implementation problems of the same SSL library. Armis, the security firm that discovered the problem, had previously discovered similar problems in APC power supplies, and worries this problem will not be limited to power and networking.
"I can say approximately 50- or 60 percent of the devices we've checked using NanoSSL are vulnerable to the same type of vulnerabilities because it's very easy to make these mistakes," said Barak Hadad, head of research at Armis.
Mocana's NanoSSL library is widely used in internet of things (IoT) devices. Armis has not identified any problems in the library itself. Instead, the problems occur when data returned from the library is not properly validated and errors are not handled properly. Hadad said that the requirements for implementation are accurately described in the manuals for NanoSSL.
"But we all know developers. No one reads the manuals," said Hadad.
Armis worked with Mocana to make NanoSSL harder to misuse, both within the code and through vendor alerts. But legacy products may already have problems.
Armis is calling the switch vulnerabilities "TLStorm2.0." There are five CVEs in total, two in Aruba and three in Avaya.
The TLStorm2.0 bugs affected models from the Aruba product series 2530, 2540, 2920, 2930F, 2930M, 5400R, and 3810 and Avaya series ERS3500, ERS3600, ERS4900 and ERS5900.
The issues identified could be severe. Two of the issues identified in Avaya switches lead to remote code execution and one of the Aruba bugs allows attackers to break out of captive portals and hop from VLAN to VLAN.
Most of the vulnerabilities have been patched, according to Armis, and the ones that have not been have mitigations available. Users can check with Avaya here for and Aruba here.
TLStorm2.0 follows TLStorm, vulnerabilities in APC power backups. Taking advantage of misuse in the power backups, Armis was able to change how much power was flowing through a power supply and the waveform, and demonstrated they were able to set equipment ablaze through malicious surges of power.
Hadad said that NanoSSL implementation bugs likely extend far beyond network switches and universal power supplies.
"If vendors are using Mocana NanoSSL and want us to check if they're vulnerable, they can communicate with us and we will be happy to help," he said. "Also, we have a technical white paper that shows exactly how this misuse looks like in the code."