Friday, May 27 2022

Vulnerabilities found in widely used network switches could allow attackers to bypass security features such as network segmentation to gain access to critical systems

PALO ALTO, Calif., May 3, 2022 /PRNewswire/ — armisthe leading unified asset visibility and security platform, today announced the disclosure of five critical vulnerabilities, known as TLStorm 2.0, in the implementation of TLS communications in several models of network switches. The vulnerabilities stem from a similar design flaw identified in the TLStorm vulnerabilities (discovered earlier this year by Armis), extending TLStorm’s reach to millions of additional enterprise-grade network infrastructure devices.

In March 2022, Armis first disclosed TLStorm, three critical vulnerabilities in APC Smart-UPS devices. The vulnerabilities allow an attacker to take control of Smart-UPS devices from the Internet without user interaction, causing the UPS to overload and eventually destroy itself in a cloud of smoke. The root cause of these vulnerabilities was improper use of NanoSSL, a popular TLS library from Mocana. Using the Armis Knowledge Base, a database of over two billion assets, our researchers identified dozens of devices using the Mocana NanoSSL library. The results include not only APC Smart-UPS devices, but also two popular network switch vendors that are affected by a similar library implementation flaw. While network UPSs and switches differ in their function and levels of trust within the network, the underlying issues of TLS implementation have devastating consequences.

New TLStorm 2.0 research exposes vulnerabilities that could allow an attacker to take full control of network switches used in airports, hospitals, hotels and other organizations around the world. The suppliers concerned are Aruba (acquired by HPE) and Avaya Networking (acquired by ExtremeNetworks). We found that both vendors have switches vulnerable to Remote Code Execution (RCE) vulnerabilities that can be exploited on the network, resulting in:

  • Breaking network segmentation, allowing lateral movement to additional devices by changing switch behavior
  • Data exfiltration of corporate network traffic or sensitive information from the internal network to the Internet
  • Captive Portal Escape

These research findings are important because they highlight that the network infrastructure itself is at risk and exploitable by attackers, which means that network segmentation alone is no longer sufficient as a security measure.

“Research at Armis is driven by a simple goal: to identify emerging security threats to provide our customers with continuous, real-time protection,” said Barack Hadad, Head of Research, Armis. “The set of TLStorm vulnerabilities is a prime example of asset threats that were previously not visible to most security solutions, showing that network segmentation is no longer sufficient mitigation and proactive monitoring network is critical. Armis researchers will continue to explore assets across all environments to ensure that our knowledge base of over two billion assets shares the latest threat mitigations with all of our partners. and customers.”

Captive portals

A captive portal is the web page displayed to newly connected users of a Wi-Fi or wired network before they are granted wider access to network resources. Captive portals are commonly used to present a login page that may require authentication, payment, or other valid credentials that both host and user agree on. Captive portals provide access to a wide range of mobile and pedestrian broadband services, including wired and commercial Wi-Fi and home hotspots, as well as corporate or residential wired networks, such as resorts. apartments, hotel rooms and business centers.

Using the TLStorm 2.0 vulnerabilities, an attacker can abuse the captive portal and achieve remote code execution on the Switch without the need for authentication. Once the attacker has control of the switch, they can completely disable the captive portal and move laterally into the corporate network.

Vulnerability details and affected devices


  • CVE-2022-23677 (CVSS score of 9.0) – Abuse of NanoSSL on multiple interfaces (RCE)
    • The NanoSSL library mentioned above is used in all the firmware of Aruba multi-purpose switches. The two main use cases for which the TLS connection made using the NanoSSL library is not secure and can lead to an RCE:
      • Captive Portal – A captive portal user can take control of the switch before authentication.
      • RADIUS Authentication Client – A vulnerability in RADIUS connection handling could allow an attacker capable of intercepting the RADIUS connection via a man-in-the-middle attack to obtain an RCE on the switch without user interaction.
  • CVE-2022-23676 (CVSS score of 9.1) – RADIUS client memory corruption vulnerabilities
    • RADIUS is a client/server authentication, authorization, and accounting (AAA) protocol that provides centralized authentication for users attempting to access a network service. The RADIUS server responds to access requests from network services that act as clients. The RADIUS server verifies the access request information and responds by allowing the access attempt, rejecting it, or requesting more information.
    • There are two memory corruption vulnerabilities in the switch’s RADIUS client implementation; they lead to attacker-controlled data heap overflows. This could allow a malicious RADIUS server or an attacker with access to the RADIUS shared secret to remotely execute code on the switch.

Aruba Devices impacted by TLStorm 2.0:

  • Aruba 5400R Series
  • Aruba 3810 Series
  • Aruba 2920 series
  • Aruba 2930F Series
  • Aruba 2930M Series
  • Aruba 2530 series
  • Aruba 2540 Series

Avaya Management Interface Pre-Authentication Vulnerabilities

The attack surface for all three Avaya switch vulnerabilities is the web management portal, and none of the vulnerabilities require any type of authentication, making this a group of no-click vulnerabilities.

  • CVE-2022-29860 (CVSS 9.8) – TLS reassembly heap overflow
    • This is a vulnerability similar to CVE-2022-22805 that Armis found in APC Smart-UPS devices. The process handling POST requests on the web server does not properly validate NanoSSL return values, resulting in a heap overflow that can lead to remote code execution.
  • CVE-2022-29861 (CVSS 9.8) – HTTP header parse stack overflow
    • Improper bounds checking in multipart form data handling combined with a non-null-terminated string leads to an attacker-controlled stack overflow that can lead to an RCE.
  • HTTP POST request handling heap overflow
    • A vulnerability in the handling of HTTP POST requests due to missing error checks of the Mocana NanoSSL library results in an attacker-controlled length heap overflow, which may lead to RCE. This vulnerability does not have a CVE as it was found in a discontinued product line from Avaya, meaning no patches will be released to address this vulnerability, although data from Armis shows that these devices can always be found in nature.

Avaya devices affected by TLStorm 2.0:

  • ERS3500 series
  • ERS3600 Series
  • ERS4900 series
  • ERS5900 Series

Updates and mitigations

Aruba and Avaya has worked with Armis on this issue, and customers have been notified and have released patches to address most vulnerabilities. To our knowledge, there is no indication that the TLStorm 2.0 vulnerabilities have been exploited.

Deploying organizations impacted Aruba devices should patch affected devices immediately with patches in the Aruba Support Portal here.

Organizations deploying affected Avaya devices should immediately review the security advisories on the Avaya Support Portal here.

Armis customers can immediately identify vulnerable devices in their environment and begin remediation. To speak to an Armis expert and learn about our award-winning Unified Asset Security and Visibility Platform, click here.

Research presentations

Armis experts will discuss TLStorm research at the following event:

Additional Resources

About Armis

Armis is the leading unified asset visibility and security platform designed to address the new threat landscape created by connected devices. Fortune 1000 companies trust our real-time, continuous protection to see with complete context all managed and unmanaged assets across IT, cloud, IoT devices, medical devices (IoMT), technology (OT), Industrial Control Systems (ICS) and 5G. Armis provides unparalleled passive cybersecurity asset management, risk management and automated enforcement. Armis is a private company headquartered in Palo Alto, California. To visit

Media contacts:
City of Dillon
Senior Director, Public Relations and Media
[email protected]



More than 5 million people march on May Day in Cuba, a country of 11 million inhabitants


As Truist Buys Fintech Without CRA Review FDIC Unaware of Merger Review

Check Also