Researchers at cybersecurity firm Armis Inc. have uncovered five critical vulnerabilities in the implementation of Transport Layer Security in network switches used in millions of enterprises.
Dubbed “TLStorm 2.0,” a sequel to three vulnerabilities found by Armis in APC Smart-UPS last year, the new vulnerabilities steam from a similar design flaw. The original TLStorm allowed an attacker to gain control of Smart UPS devices from the internet with no user interaction, resulting in the UPS overloading and eventually destroying itself in a cloud of smoke. The cause for these vulnerabilities was a misuse of NanoSSL, a popular TLS library by Mocana.
Using its knowledge base of more than 2 billion assets, Armis researchers have identified dozens of devices using the Mocana NanoSSL library. These devices include those from Aruba Networks, owned by Hewlett-Packard Enterprise Co., and Avaya Inc. Network switches may differ from UPS devices in function and levels of trust within the network, but the underlying TLS implementation issues is described as allowing for devastating consequences.
TLStorm 2.0 vulnerabilities could allow an attacker to take complete control over network switches used in airports, hospitals, hotels and other organizations worldwide. Attacks exploiting the vulnerabilities include the potential of lateral movement to additional devices by changing the behavior of the switch; data exfiltration of corporate network traffic or sensitive information from the internal network to the internet; and “captive portal” escape.
A captive portal is the web page displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are used to present a login page that may require authentication, payment or other valid credentials that both the host and user agree upon. Once attackers control the switch, they can disable the captive portal altogether and move laterally to the corporate network.
The affected Aruba devices include the 5400R Series as well as the 3810, 2920, 2930F, 2930M, 2530 and 2540. Affected Avaya devices include the ERS3500 Series along with the ERS3600, ERS4900 and ERS5900.
The researchers at Armis worked with both Aruba and Avaya before disclosing the issues and customers have been notified and issued patchers to address most of the vulnerabilities. The researchers note that to the best of their knowledge, TLStorm 2.0 vulnerabilities have not yet been exploited.
Users of affected devices are encouraged to patch them if they have not done so already.
“The TLStorm set of vulnerabilities are a prime example of threats to assets that were previously not visible to most security solutions, showing that network segmentation is no longer a sufficient mitigation and proactive network monitoring is essential,” Barak Hadad, head of research at Armis, said in a statement.