TLS IMPLEMENTATION Flaws Open Aruba, Avaya Network Gear, Others to Attacks

One more software supply chain attack.

Note that this is not an intentional compromise, but the result is the same.

The bugs could allow attackers to, remotely, break network segmentation, steal data and escape captive portals.

The bugs, collectively, are called TLStorm 2.0.

The bugs in the NanoSSL library – widely used – were also the source of the APC SmartUPS vulnerability announced earlier.

In the case of the Aruba switches, even using RADIUS authentication does not protect you.

The Avaya devices allow an UNauthenticated user to exploit the bug.

The challenge, of course, it to figure out what software and hardware you own uses this vulnerable library, is the software or hardware still supported and will the vendor release patches.

This is why Software Bill of Materials is so critical.

More details can be found at CSO Online, here.