fbpx
Connect with us

Tech

Five TLS comms vulnerabilities hit Aruba, Avaya switching kit

Published

on

Five TLS comms vulnerabilities hit Aruba, Avaya switching kit

Five new vulnerabilities in the implementation of transport layer security communications leave several popular switches vulnerable to remote code execution

Sebastian  Klovig Skelton

By

Published: 03 May 2022 16:40

As many as eight out of 10 companies could be at risk from five newly disclosed vulnerabilities in widely used communications switches.

Flaws in the implementation of transport layer security (TLS) communications have been found to leave a number of commonly used switches built by HP-owned Aruba and Extreme Networks-owned Avaya at risk of remote code execution (RCE).

Discovered by Armis, the set of vulnerabilities for Aruba includes NanoSSL misuse on multiple interfaces (CVE-2022-23677) and Radius client memory corruption vulnerabilities (CVE-2022-23676), while for Avaya it includes TLS reassembly heap overflow (CVE-2022-29860) and HTTP header parsing stack overflow (CVE-2022-29861).

A further vulnerability for Avaya was found in the handling of HTTP POST requests, but it has no CVE identifier because it was found in a discontinued product line, meaning no patch will be issued despite Armis data showing these devices can still be found in the wild.

According to Armis data, almost eight out of 10 companies are exposed to these vulnerabilities.

The discovery of the vulnerabilities comes in the wake of the TLStorm disclosures in March 2022, and have been dubbed TLStorm 2.0.

For reference, the original TLStorm moniker was applied to a set of critical vulnerabilities in APC Smart-UPS devices and enabled an attacker to take control of them from the internet with no user interaction by misusing Mocana’s NanoSSL TLS library.

Such incidents are becoming increasingly widespread, with the most famous recent disclosure arguably being Log4Shell.

Now, using its own database of billions of devices and device profiles, Armis’s researchers claim they have found dozens more devices using the Mocana NanoSSL library, and both Aruba and Avaya devices have turned out to be at risk of the misuse of said library. This arises because the glue logic – the code that links the vendor logic and the NanoSSL library – does not follow the NanoSSL manual guidelines.

Armis research head Barak Hadad said that although it was clear that almost every software relies on external libraries to some degree, these libraries will always present some degree of risk to the hosting software. In this case, Hadad said the Mocana NanoSSL manual has clearly not been followed properly by multiple suppliers.

“The manual clearly states the proper cleanup in case of connection error, but we have already seen multiple vendors not handling the errors properly, resulting in memory corruption or state confusion bugs,” wrote Hadad in a disclosure blog published on 3 May 2022.

He said the exploitation of these vulnerabilities could enable attackers to break out of network segmentation and achieve lateral movement to additional devices by changing the behaviour of the vulnerable switch, leading to data exfiltration of network traffic or sensitive information, and captive portal escape.

Hadad warned that TLStorm 2.0 could be especially dangerous for any organisation or facility running a free Wi-Fi service, such as airports, hospitality venues and retailers.

“These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation can no longer act as a sufficient security measure,” he wrote.

In terms of mitigations, Armis said that organisations deploying impacted Aruba devices should patch them immediately through the Aruba Support Portal, while those deploying impacted Avaya devices should check security advisories immediately in the Extreme Support Portal

On top of specific vendor mitigations, multiple network protection layers can also be applied to mitigate the risk, incuding network monitoring and limiting the attack surface, for example by blocking the exposure of the management portal to guest network ports.

The affected devices for Aruba are the 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series and 2540 Series; the affected Avaya devices are the ERS3500 Series, ERS3600 Series, ERS4900 Series and ERS5900 Series.

All the vulnerabilities have been notified to the relevant suppliers, which worked with Armis to issue patches that address most of the problems.





Read more on IT risk management

Go to Source

Click to comment

Leave a Reply

Tech

AMD CEO says 5-nm Zen 4 processors coming this fall

Published

on

Did you miss a session from GamesBeat Summit 2022? All sessions are available to stream now. Watch now.


Advanced Micro Devices revealed its 5-nanometer Zen 4 processor architecture today at the Computex 2022 event in Taiwan.

The new AMD Ryzen 7000 Series desktop processors with Zen 4 cores will be coming this fall, said Lisa Su, CEO of AMD, in a keynote speech.

Su said the new processors with Zen 4 architecture will deliver a significant increase in performance upon their launch in the fall of 2022. Additionally, Su highlighted the strong growth and momentum for AMD in the mobile market as 70 of the more than 200 expected ultrathin, gaming and commercial notebook designs powered by Ryzen 6000 Series processors have been launched or announced to-date.

In addition, other AMD executives announced the newest addition to the Ryzen Mobile lineup, “Mendocino;” the newest AMD smart technology, SmartAccess Storage; and more details of the new AM5 platform, including support from leading motherboard manufacturers.

“At Computex 2022 we highlighted growing adoption of AMD in ultrathin, gaming, and commercial notebooks from the leading PC providers based on the leadership performance and battery life of our Ryzen 6000 series mobile processors,” said Su. “With our upcoming AMD Ryzen 7000 Series desktop processors, we will bring even more leadership to the desktop market with our next-generation 5-nm Zen 4 architecture and provide an unparalleled, high-

performance computing experience for gamers and creators.”

AMD Ryzen 7000 Series desktop processors

The new Ryzen 7000 Series desktop processors will double the amount of L2 cache per core, feature higher clock speeds, and are projected to provide greater than 15% uplift in single-thread performance versus the prior generation, for a better desktop PC experience.

During the keynote, a pre-production Ryzen 7000 Series desktop processor was demonstrated running at 5.5 GHz clock speed throughout AAA game play. The same processor was also demonstrated performing more than 30% faster than an Intel Core i9 12900K in a Blender multi-threaded rendering workload.

In addition to new “Zen 4” compute dies, the Ryzen 7000 series features an all-new 6nm I/O die. The new I/O die includes AMD RDNA 2-based graphics engine, a new low-power architecture adopted from AMD Ryzen mobile processors, support for the latest memory and connectivity technologies like DDR5 and PCI Express 5.0, and support for up to four displays.

AMD Socket AM5 Platform

The new AMD Socket AM5 platform provides advanced connectivity for our most demanding enthusiasts. This new socket features a 1718-pin LGA design with support for up to 170W TDP processors, dual-channel DDR5 memory, and new SVI3 power infrastructure for leading all-core performance with our Ryzen 7000 Series processors. AMD Socket AM5 features the most PCIe 5.0 lanes in the industry with up to 24 lanes, making it our fastest, largest, and most expansive desktop platform with support for the next-generation and beyond class of storage and graphics cards.

And AMD said the “Mendocino” processors will offer great everyday performance and are expected to be priced from $400 to $700.

Featuring “Zen 2” cores and RDNA 2 architecture-based graphics, the processors are designed to deliver the best battery life and performance in the price band so users can get the most out of their laptop at an attractive price.

The first systems featuring the new “Mendocino” processors will be available from computer partners in Q4 2022.

GamesBeat’s creed when covering the game industry is “where passion meets business.” What does this mean? We want to tell you how the news matters to you — not just as a decision-maker at a game studio, but also as a fan of games. Whether you read our articles, listen to our podcasts, or watch our videos, GamesBeat will help you learn about the industry and enjoy engaging with it. Learn more about membership.

Go to Source

Continue Reading

Tech

AMD’s Ryzen 7000 desktop chips are coming this fall with 5nm Zen 4 cores

Published

on

AMD’s Ryzen 7000 desktop chips are coming this fall with 5nm Zen 4 cores

AMD’s upcoming Ryzen 7000 chips will mark another major milestone for the company: they’ll be the first desktop processors running 5 nanometer cores. During her Computex keynote presentation today, AMD CEO Lisa Su confirmed that Ryzen 7000 chips will launch this fall. Under the hood, they’ll feature dual 5nm Zen 4 cores, as well as a redesigned 6nm I/O core (which includes RDNA2 graphics, DDR5 and PCIe 5.0 controllers and a low-power architecture). Earlier this month, the company teased its plans for high-end “Dragon Range” Ryzen 7000 laptop chips, which are expected to launch in 2023.

Since this is just a Computex glimpse, AMD isn’t giving us many other details about the Ryzen 7000 yet. The company says it will offer a 15 percent performance jump in Cinebench’s single-threaded benchmark compared to the Ryzen 5950X. Still, it’d be more interesting to hear about multi-threaded performance, especially given the progress Intel has made with its 12th-gen CPUs. You can expect 1MB of L2 cache per core, as well as maximum boost speeds beyond 5GHz and better hardware acceleration for AI tasks.

AMD is also debuting Socket AM5 motherboards alongside its new flagship processor. The company is moving towards a 1718-pin LGA socket, but it will still support AM4 coolers. That’s a big deal if you’ve already invested a ton into your cooling setup. The new motherboards will offer up to 24 channels of PCIe 5.0 split across storage and graphics, up to 14 USB SuperSpeed ports running at 20 Gbps, and up to 4 HDMI 2.1 and DisplayPort 2 ports. You’ll find them in three different flavors: B650 for mainstream systems, X650 for enthusiasts who want PCIe 5.0 for storage and graphics and X650 Extreme for the most demanding folks.

Given that Intel still won’t have a 7nm desktop chip until next year (barring any additional delays), AMD seems poised to once again take the performance lead for another generation. But given just how well Intel’s hybrid process for its 12th-gen chips has worked out, it’ll be interesting to see how it plans to respond. If anything, it sure is nice to see genuine competition in the CPU space again.

While Ryzen 7000 will be AMD’s main focus for the rest of the year, the company is also throwing a bone to mainstream laptops in the fourth quarter with its upcoming 6nm “Mendocino” CPUs. They’ll sport four 6nm Zen 2 cores, as well as RDNA 2 graphics, making them ideal for systems priced between $399 and $699. Sure, that’s not much to get excited about, but even basic machines like Lenovo’s Ideapad 1 deserve decent performance. And for many office drones, it could mean having work-issued machines that finally don’t stink.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Go to Source

Continue Reading

Tech

Disney’s Disney+ ad pitch reflects how streaming ad prices set to rise in this year’s upfront

Published

on

Disney’s Disney+ ad pitch reflects how streaming ad prices set to rise in this year’s upfront

With Disney+, Disney is looking to set a new high-water mark for ad prices among the major ad-supported streamers. The pricey pitch is representative of a broader rising tide in streaming ad pricing in this year’s TV advertising upfront market, as Disney-owned Hulu, Amazon and even Fox’s Tubi are looking to press upfront advertisers to pay up.

In its initial pitch to advertisers and their agencies, Disney is seeking CPMs for Disney+ around $50, according to agency executives. That price point applies to broad-based targeting dubbed “P2+,” which refers to an audience of any viewer who is two years old or older (though Disney has told agency executives that programming aimed at viewers seven years old and younger will be excluded from carrying ads). In other words, more narrowly targeted ads are expected to cost more based on the level of targeting. A Disney spokesperson declined to comment.

At a $50 CPM, Disney+ is surpassing the prices that NBCUniversal’s Peacock  and Warner Bros. Discovery’s HBO Max sought in last year’s upfront market and that gave ad buyers sticker shock. The former sought CPMs in the $30 to $40 range, while the latter sought $40+ CPMs. By comparison, other major ad-supported streamers like Hulu, Discovery+ and Paramount+ were charging low-to-mid $20 CPMs that major ad-supported streamers charge. As a result, Peacock’s and HBO Max’s asks ended up being price prohibitive, with some advertisers limiting the amount of money they spent with the streamers because of their higher rates.

Unsurprisingly, agency executives are balking at Disney+’s price point. “They’re citing pricing that no longer exists, meaning Peacock and HBO Max recognized they came out too high and they’re reducing it. Disney+ is using earmuffs to pretend that second part didn’t happen,” said one agency executive.

However, Disney+ isn’t the only streamer seeking to raise the rates that ad buyers are accustomed to paying. Hulu is also seeking to increase its prices in this year’s upfront, with P2+ pricing going from a $20-$25 CPM average to averaging in the $25-$30 CPM range, according to agency executives. And during a call with reporters on May 16, Fox advertising sales president Marianne Gambelli said that the company will seek higher prices for its free, ad-supported streaming TV service Tubi in this year’s upfront market. It’s unclear what Tubi’s current rates are, but FAST services’ CPMS are typically in the low to mid teens, said the agency executives.

“We have to get the value for Tubi. Tubi has grown to a point — it’s doubled, tripled in size over the past couple of years. So we are going to obviously make that a priority and look for not only more volume but price,” Gambelli said.

Meanwhile, in pitching its Thursday Night Football package that will be streamed on Amazon Prime Video and Twitch, Amazon has been pressing for a premium on what Fox charged advertisers last year, according to agency executives. The e-commerce giant will be handling the games’ ad placements like traditional TV, meaning that it will run the same ad in each ad slot for every viewer as opposed to dynamically inserting targeted ads. “It’s streaming broadcast,” said a second agency executive.

An Amazon spokesperson declined to comment on pricing but did provide a general statement. “Thursday Night Football on Prime Video and Twitch is a purely digital broadcast, and we’re excited to bring fans a new viewing experience. There are 80MM active Prime Video households in the U.S. and, in a survey of our 2021 TNF audience, 38% reported they don’t have a pay-TV service – meaning TNF on Prime Video and Twitch enables brands to connect with cord-cutters and cord-nevers. Brands can also reach these viewers beyond TNF. Our first-party insights enable them to reengage TNF audiences across Amazon, such as in Freevee content.”

One of the agency executives that Digiday spoke to said the latest ask is for a plus-10% increase on Fox’s rates, though what Fox’s rates were are unclear and other agency executives said the premium that Amazon is asking for varies. Ad Age reported in February that Amazon was seeking up to 20% higher prices than Fox’s rates. “I don’t know if it is consistently plus-10, but it is definitely more. Which is crazy because Fox couldn’t make money on it, which is why they gave it up for this fall,” said a second agency executive.

“Someone was eating way too many gummies before they put the pricing together,” said a second agency executive of Amazon’s Thursday Night Football pitch.

Ad-supported streaming service owners also see an opportunity to push for higher prices as advertisers to adopt more advanced targeting with their streaming campaigns, such as by using the media companies’ and/or advertisers’ first-party data to aim their ads on the streamers. 

Said one TV network executive, “You’ll see premiums, especially as it relates to advertisers that really want to hook into [their company’s streaming service] and buy those targeted audiences across the platform and either use [the TV network’s] first-party data or bring their own data to the table. That’s the biggest business we’re in, and that’s where we see great growth from a pricing standpoint.”

https://digiday.com/?p=448869

Go to Source

Continue Reading
Home | Latest News | Tech | Five TLS comms vulnerabilities hit Aruba, Avaya switching kit
a

Market

Trending