TLStorm 2.0 Exploits Expose Millions of Aruba and Avaya Network Switches to RCE Attacks


Security researchers at Armis have discovered five critical vulnerabilities in multiple network devices sold by Aruba and Avaya. The security flaws, dubbed TLStorm 2.0, could allow malicious actors to gain complete control of network switches typically used in hospitals, hotels, airports, and other businesses.

According to the security researchers, the TLStorm 2.0 vulnerabilities have CVSS scores of 9.0 to 9.8 and exploit the security issues in the NanoSSL TLS library. These flaws enable an attacker to modify the behavior of a network switch, gain remote access to enterprise networks and eventually steal sensitive information.

The NanoSSL TLS library implementation introduces three critical bugs on Avaya devices. The first Avaya flaw (CVE-2022-29860 is a TLS reassembly heap overflow that could potentially lead to remote code execution. Moreover, the attackers can abuse the second vulnerability (CVE-2022-29861) to execute arbitrary malicious code remotely on the network switch. Lastly, the second critical Avaya bug could cause an exploitable heap overflow.

Similarly, the first Aruba vulnerability, tracked as CVE-2022-23677, is triggered by weakness in NanoSSL. This critical flaw can be exploited by threat actors through the captive portal system. Meanwhile, CVE-2022-23676 is a memory corruption bug that exists in the RADIUS client implementation of network switches. It lets attackers overflow heap memory for remote-code execution.

“These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure,” Armis explained.

The TLStorm 2.0 flaws affect 10 million Aruba and Avaya network switches

The threat analysts found that the new set of flaws impacts around 10 million Aruba and Avaya network switches. The list of affected models includes Avaya ERS3500 Series, ERS3600 Series, ERS4900 Series, and ERS5900 Series. Additionally, Aruba devices impacted by TLStorm 2.0 include Aruba 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series, and 2540 Series.

Armis security researchers have collaborated with Aruba and Avaya to address the TLStorm 2.0 vulnerabilities in their network devices. They have confirmed that these flaws have not been exploited in the wild. However, Armis recommends customers to install the latest patches released by both vendors to mitigate potential exploitation attempts in their organizations.