TLStorm 2.0: 5 critical vulnerabilities in network switches from Aruba and Avaya

Sicherheit (Pexels, allgemeine Nutzung)[German]Network switches from Aruba and Avaya are vulnerable to RCE attacks due to 5 vulnerabilities. Security researchers from Armis, a company specializing in networked devices, who discovered the vulnerabilities call them "TLStorm 2.0" – because there was already the TLStorm case (I had published this article TLStorm: 3 critical 0-day vulnerabilities put APC Smart UPS at risk on the original discovery of the TLStorm vulnerability in smart UPS units).


TLStorm 2.0  are vulnerabilities in the implementation of TLS communications in several models of network switches. They are based on a similar design flaw as the TLStorm vulnerabilities (discovered by Armis in March 2022, see TLStorm: 3 critical 0-day vulnerabilities put APC Smart UPS at risk). The new vulnerabilities extend the reach of TLStorm devices to millions more enterprise network infrastructure devices.

The primary cause of these vulnerabilities was a misuse of NanoSSL, a popular TLS library from Mocana. Using the Armis Device Knowledgebase – a database of more than two billion assets – Armis security researchers identified dozens of devices using Mocana's NanoSSL library. The findings include not only APC's Smart UPS devices, but also two popular network switch vendors (Aruba and Avaya) that are affected by a similar implementation flaw in the library. While UPS devices and network switches differ in their function and level of trust within the network, the underlying TLS implementation issues can have devastating consequences.

TLStorm 2.0

The new TLStorm 2.0 study, produced by Armis, reveals vulnerabilities that could allow an attacker to take complete control of network switches used in airports, hospitals, hotels and other organizations worldwide. The affected vendors are Aruba (acquired by HPE) and Avaya Networking (acquired by Extreme Networks).

The security researchers found switches at both vendors vulnerable to remote code execution (RCE) vulnerabilities that can be exploited over the network, leading to the following:

  • Breach of network segmentation, allowing spillover to additional devices by altering switch behavior.
  • Data exfiltration of corporate network traffic or sensitive information from the internal network to the Internet
  • Breakout from the captive portal

These findings make it clear that TLStorm 2.0 puts the network infrastructure itself at risk and can be exploited by attackers. This in turn means that network segmentation alone is no longer sufficient as a security measure. Barak Hadad, Head of Research at Armis comments:


Security research at Armis is driven by a simple goal: Identify emerging security threats to provide continuous, real-time protection to our customers. The TLStorm vulnerabilities are a prime example of threats to assets that were previously invisible to most security solutions, demonstrating that network segmentation is no longer enough and proactive network monitoring is essential. Armis security researchers will continue to investigate assets in all environments to ensure that our knowledge base of more than two billion assets provides the latest threat defenses to all of our partners and customers.

Captive Portals

A captive portal is the web page that is presented to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are typically used to present a login page that requires authentication, payment, or other valid credentials that both the host and the user agree to. Captive Portals provide access to a wide range of mobile and "pedestrian" broadband services, including cable and commercially-provided Wi-Fi and home hotspots, as well as wired networks in businesses or homes, such as apartment complexes, hotel rooms, and business centers.

Exploiting TLStorm 2.0 vulnerabilities, an attacker can abuse the captive portal and gain remote code execution through the switch without requiring authentication. Once the attacker gains control of the switch, they can completely disable the Captive Portal and laterally penetrate the enterprise network.

Vulnerability Details and Affected Device Types


In Aruba network switches, vulnerability CVE-2022-23677 (CVSS score 9.0) exists in the NanoSSL library, which allows NanoSSL misuse on various interfaces (RCE). The NanoSSL library mentioned above is used in Aruba switch firmware for multiple purposes. There are two main use cases where the TLS connection established with the NanoSSL library is not secure and can lead to RCE:

  • Captive Portal – A captive portal user can take control of the switch before authentication.
  • RADIUS authentication-Client – A vulnerability in RADIUS connection validation could allow an attacker to intercept the RADIUS connection via a man-in-the-middle attack and gain RCE over the switch without user interaction.

Furthermore, CVE-2022-23676 (CVSS score 9.1) exists in the Radius implementation in the form of RADIUS client memory corruption vulnerabilities. RADIUS is a client/server authentication, authorization, and accounting (AAA) protocol that provides centralized authentication of users attempting to access a network service. The RADIUS server responds to access requests from network services acting as clients. The RADIUS server checks the information in the access request and responds by approving the access attempt, denying it, or requesting more information.

There are two memory corruption vulnerabilities in the switch's RADIUS client implementation; they result in heap overflows of data controlled by attackers. This can allow a malicious RADIUS server or an attacker with access to the shared RADIUS secret to remotely execute code on the switch.

Aruba devices affected by TLStorm 2.0:

  • Aruba 5400R Series
  • Aruba 3810 Series
  • Aruba 2920 Series
  • Aruba 2930F Series
  • Aruba 2930M Series
  • Aruba 2530 Series
  • Aruba 2540 Series

Avaya Management Interface vulnerabilities before authentication

The attack surface for all three Avaya switch vulnerabilities is the web management portal, and none of the vulnerabilities require any type of authentication, making them a zero-click vulnerability group.

CVE-2022-29860 (CVSS Score 9,8) – TLS Reassembly Heap Overflow

This is a similar vulnerability to CVE-2022-22805 found by Armis in APC Smart-UPS devices. The process that handles POST requests on the web server does not properly validate NanoSSL return values, resulting in a heap overflow that could lead to remote code execution.

CVE-2022-29861 (CVSS Score 9,8) – HTTP Header Parsing Stack Overflow

Improper boundary checking when handling multipart form data in combination with a string that is not null-terminated results in an attacker-controlled stack overflow that can lead to an RCE.

HTTP POST Request Handling Heap Overflow

A vulnerability in the handling of HTTP POST requests due to missing error checks of the Mocana NanoSSL library results in an attacker-controlled length heap overflow, which can lead to an RCE. This vulnerability does not have a CVE because it was found in a discontinued Avaya product line. This means that no patch will be issued to address this vulnerability, although data from Armis shows that these devices can still be found in the wild.

Avaya devices affected by TLStorm 2.0:

  • ERS3500 Series
  • ERS3600 Series
  • ERS4900 Series
  • ERS5900 Series

Updates and remediation

Aruba and Avaya have been working with Armis on this issue. Customers were notified and received patches to address most of the vulnerabilities. To Armis' knowledge, there is no evidence that the TLStorm 2.0 vulnerabilities have been exploited.

  • Enterprises deploying affected Aruba devices should patch the affected devices immediately with patches from the Aruba Support Portal here.
  • Enterprises deploying affected Avaya devices should immediately review the security advisories on the Avaya Support Portal here.

Armis experts will present the results of the TLStorm analysis at Black Hat Asia 2022 (May 10-13, 2022), titled Like Lightning From the Cloud: Finding RCEs in an Embedded TLS Library and Toasting a Popular Cloud-connected UPS.

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.