Armis, the leading unified asset visibility and security platform, today announced the disclosure of five critical vulnerabilities, known as TLStorm 2.0, in the implementation of TLS communications in multiple models of network switches. The vulnerabilities stem from a similar design flaw identified in the TLStorm vulnerabilities (discovered earlier this year by Armis), expanding the reach of TLStorm to millions of additional enterprise-grade network infrastructure devices.
In March 2022, Armis first disclosed TLStorm—three critical vulnerabilities in APC Smart-UPS devices. The vulnerabilities allow an attacker to gain control of Smart-UPS devices from the internet with no user interaction, resulting in the UPS overloading and eventually destroying itself in a cloud of smoke. The root cause for these vulnerabilities was a misuse of NanoSSL, a popular TLS library by Mocana. Using the Armis knowledgebase—a database of more than two billion assets—our researchers identified dozens of devices using the Mocana NanoSSL library. The findings include not only the APC Smart-UPS devices but also two popular network switch vendors that are affected by a similar implementation flaw of the library. While UPS devices and network switches differ in function and levels of trust within the network, the underlying TLS implementation issues allow for devastating consequences.
The new TLStorm 2.0 research exposes vulnerabilities that could allow an attacker to take full control over network switches used in airports, hospitals, hotels, and other organizations worldwide. The affected vendors are Aruba (acquired by HPE) and Avaya Networking (acquired by ExtremeNetworks). We have found that both vendors have switches vulnerable to remote code execution (RCE) vulnerabilities that can be exploited over the network, leading to:
These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure.
“Research at Armis is driven by one simple purpose: Identify emerging security threats to provide our customers with real-time and continuous protection,” said Barak Hadad, Head of Research, Armis. “The TLStorm set of vulnerabilities are a prime example of threats to assets that were previously not visible to most security solutions, showing that network segmentation is no longer a sufficient mitigation and proactive network monitoring is essential. Armis researchers will continue to explore assets across all environments to make sure our knowledgebase of more than two billion assets is sharing the latest threat mitigations to all of our partners and customers.”
A captive portal is the web page displayed to newly-connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a login page that may require authentication, payment, or other valid credentials that both the host and user agree upon. Captive portals provide access to a broad range of mobile and pedestrian broadband services, including cable and commercially provided Wi-Fi and home hotspots, and enterprise or residential wired networks, such as apartment complexes, hotel rooms, and business centers.
Using the TLStorm 2.0 vulnerabilities, an attacker can abuse the captive portal and gain remote code execution over the switch with no need for authentication. Once the attacker has control over the switch, they can disable the captive portal altogether and move laterally to the corporate network.
Vulnerability Details and Affected Devices
Aruba devices affected by TLStorm 2.0:
Avaya management interface pre-auth vulnerabilities
The attack surface for all three vulnerabilities of the Avaya switches is the web management portal and none of the vulnerabilities require any type of authentication, making it a zero-click vulnerability group.
Avaya devices affected by TLStorm 2.0:
Updates and Mitigations
Aruba and Avaya collaborated with Armis on this matter, and customers were notified and issued patches to address most of the vulnerabilities. To the best of our knowledge, there is no indication the TLStorm 2.0 vulnerabilities have been exploited.
Armis experts will discuss the TLStorm research during the following event:
Armis is the leading unified asset visibility and security platform designed to address the new threat landscape that connected devices create. Fortune 1000 companies trust our real-time and continuous protection to see with full context all managed, unmanaged assets across IT, Cloud, IoT devices, medical devices (IoMT), operational technology (OT), industrial control systems (ICS) and 5G. Armis provides passive and unparalleled cybersecurity asset management, risk management, and automated enforcement. Armis is a privately held company and headquartered in Palo Alto, California. Visit www.armis.com.
Sr. Director, Public & Media Relations