TLStorm 2 – Vulnerabilities in Aruba and Avaya switches
Researchers at Armis have discovered five vulnerabilities in the implementation of TLS communications in multiple models of Aruba and Avaya switches.
The vulnerabilities are caused by a design flaw similar to the TLStorm vulnerabilities, also discovered by Armis earlier this year, which could allow a malicious actor to remotely execute code on the devices, affecting potentially millions of network infrastructure devices at the enterprise level.
The cause of the problem is due to code used by vendors not complying with NanoSSL library guidelines, so at Aruba it can lead to data overflows for vulnerabilities tracked as CVE-2022-23677 and CVE-2022-23676, with CVSS of 9.0 and 9.1 respectively.
On the other hand, in Avaya, the library implementation has three flaws, a TLS reassembly overflow (CVE-2022-29860 and CVSS of 9.8), HTTP header parsing overflow (CVE-2022-29861 and CVSS of 9.8) and a HTTP POST request handling overflow, with no assigned CVE.
In addition, successful exploitation of the vulnerabilities could lead to everything from information leakage, complete device takeover, to lateral movement and bypassing of network segmentation defences. Armis stresses that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation can no longer be considered a sufficient security measure.
* * *
Millions of IoT devices affected by serious DNS flaw
The Nozomi Networks Labs team has discovered an unpatched vulnerability that directly affects the domain name system (DNS) of multiple routers and IoT devices, deployed in various sectors of critical infrastructure.
The identified flaw is located in two C libraries (uClibc and uClibc-ng) that are commonly used in IoT products, employed by Linux distributions such as Embedded Gento, and widely used by major vendors such as Netgear, Axis and Linksys.
According to the research, a threat actor could use DNS poisoning or DNS spoofing to redirect network traffic to a server under its direct control and thereby steal or manipulate information transmitted by users and perform other attacks against devices to compromise them completely.
Nozomi estimates that more than 200 vendors could be affected by this vulnerability, with no CVE identifier as yet, and given that there is currently no patch to fix it, specific technical details about its exploitation have not been released until new firmware versions are available to fix the issue.
* * *
Severe vulnerabilities in AVAST and AVG
The SentinelOne team discovered in December 2021 two critical vulnerabilities, catalogued as CVE-2022-26522 and CVE-2022-26523, in Avast and AVG antivirus products. These vulnerabilities were reportedly present for exploitation in the products since 2012 and affected the “Anti Rootkit” system in both products.
The flaws allowed malicious actors to exploit the socket connection in the kernel driver to escalate privileges to disable the security products, making it possible to overwrite system components, corrupt the operating system and/or perform unhindered malicious operations, such as injecting code, performing lateral movement, installing backdoors, etc.
Both vulnerabilities were patched with version 22.1 of Avast antivirus (AVG was acquired by Avast itself in 2016), released on 8 February. It should be noted that despite the length of time these vulnerabilities have existed, no signs of exploitation have been detected.
* * *
Vulnerability in several ransomware families could prevent data encryption
Security researcher John Page (hyp3rlinx) has shown that several of the most recently active ransomware families are vulnerable to a “DLL hijacking” flaw that would prevent the ultimate purpose of encrypting their victims’ data. The details of his research have been published through the Malvuln project, created by the researcher himself, where he catalogues vulnerabilities detected in malware samples.
The exploitation of the detected flaw consists of a DLL hijacking, a type of vulnerability that is generally used for arbitrary code execution and privilege escalation purposes. In this case, by creating a specially crafted DLL file that impersonates the DLL required for the execution of the malware, the ransomware processes would be intercepted and terminated, thus preventing data encryption.
For the time being, Malvuln has published some proof-of-concepts (PoCs) affecting the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit and WannaCry ransomware families, without ruling out that the flaw is perfectly exploitable in other ransomware as well.