Armis discovers “TLStorm 2.0”, five critical vulnerabilities in network switches, organizations around the world at risk

Armis discovers “TLStorm 2.0”, five critical vulnerabilities in network switches, organizations around the world at risk

Vulnerabilities found in widely used network switches could allow attackers to bypass security features, such as network segmentation, to gain access to critical systems.

PALO ALTO, Calif., May 3, 2022 /PRNewswire/ — Armisthe leading unified asset visibility and security platform, today announced the disclosure of five critical vulnerabilities, known as TLStorm 2.0, in the implementation of TLS communications in multiple models of network switches. The vulnerabilities stem from a similar design flaw identified in the TLStorm vulnerabilities (discovered earlier this year by Armis), expanding the reach of TLStorm to millions of additional enterprise-grade network infrastructure devices.

In March 2022, Armis first disclosed TLStorm: three critical vulnerabilities in APC Smart-UPS devices. The vulnerabilities allow an attacker to gain control of Smart-UPS devices from the Internet without user interaction, causing the UPS to overload and ultimately destroy itself in a cloud of smoke. The root cause of these vulnerabilities was a misuse of NanoSSL, a popular TLS library from Mocana. Using the Armis Knowledge Base, a database of over two billion assets, our researchers identified dozens of devices using the Mocana NanoSSL library. The findings include not only APC Smart-UPS devices, but also two popular network switch vendors affected by a similar library implementation flaw. While UPS devices and network switches differ in function and levels of trust within the network, underlying TLS implementation issues allow for devastating consequences.

New TLStorm 2.0 research exposes vulnerabilities that could allow an attacker to take full control of network switches used in airports, hospitals, hotels, and other organizations around the world. Affected vendors are Aruba (acquired by HPE) and Avaya Networking (acquired by ExtremeNetworks). We discovered that both vendors have switches that are vulnerable to remote code execution (RCE) vulnerabilities that can be exploited over the network, leading to:

  • Breaking network segmentation, allowing lateral movement to additional devices by changing switch behavior
  • Data exfiltration of corporate network traffic or sensitive information from the internal network to the Internet
  • Captive Portal Escape

The results of this research are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure. .

“Research at Armis is driven by a simple purpose: to identify emerging security threats to provide our clients with continuous, real-time protection,” he said. barak hadad, Head of Research, Armis. “The TLStorm vulnerability set is an excellent example of threats to assets that were previously not visible to most security solutions, demonstrating that network segmentation is no longer a sufficient mitigation and that proactive monitoring network is essential. Armis researchers will continue to scan assets across all environments to ensure our knowledge base of over two billion assets shares the latest threat mitigations with all our partners and customers.”

captive portals

A captive portal is the web page displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a login page that may require authentication, payment, or other valid credentials agreed upon by both the host and the user. Captive portals provide access to a wide range of pedestrian and mobile broadband services, including wired and commercially provided Wi-Fi and home hotspots, and business or residential wired networks such as apartment complexes, hotel rooms and business centers.

Using the vulnerabilities in TLStorm 2.0, an attacker can abuse the captive portal and gain remote code execution through the switch without the need for authentication. Once the attacker has control over the switch, they can disable the captive portal entirely and move laterally into the corporate network.

Vulnerability details and affected devices


  • CVE-2022-23677 (CVSS score of 9.0) – Misuse of NanoSSL in multiple interfaces (RCE)
    • The NanoSSL library mentioned above is used in all firmware of Aruba switches for multiple purposes. The two main use cases for which the TLS connection made with the NanoSSL library is not secure and can lead to RCE:
      • Captive Portal: A captive portal user can take control of the switch before authentication.
      • RADIUS Authentication Client: A vulnerability in RADIUS connection handling could allow an attacker who can intercept the RADIUS connection via a man-in-the-middle attack to obtain RCE through the switch without user interaction.
  • CVE-2022-23676 (CVSS score of 9.1) – RADIUS client memory corruption vulnerabilities
    • RADIUS is an authentication, authorization, and accounting (AAA) client/server protocol that enables central authentication for users trying to access a network service. The RADIUS server responds to access requests from network services acting as clients. The RADIUS server verifies the information in the access request and responds with an authorization of the access attempt, a denial, or a challenge for more information.
    • There are two memory corruption vulnerabilities in the switch’s RADIUS client implementation; lead to overflows of heaps of data controlled by attackers. This can allow a malicious RADIUS server, or an attacker with access to the RADIUS shared secret, to remotely execute code on the switch.

Aruba devices affected by TLStorm 2.0:

  • Aruba 5400R series
  • Aruba 3810 series
  • Aruba 2920 series
  • Aruba 2930F Series
  • Aruba 2930M Series
  • Aruba 2530 series
  • Aruba 2540 series

Avaya Management Interface Pre-Authentication Vulnerabilities

The attack surface for all three Avaya switch vulnerabilities is the web management portal, and none of the vulnerabilities require any type of authentication, making this a no-click vulnerability group.

  • CVE-2022-29860 (CVSS 9.8) – TLS reassembly heap overflow
    • This is a vulnerability similar to CVE-2022-22805 that Armis found on APC Smart-UPS devices. The process that handles POST requests on the web server does not properly validate NanoSSL return values, leading to a heap overflow that can lead to remote code execution.
  • CVE-2022-29861 (CVSS 9.8) – HTTP header parsing stack overflow
    • An incorrect bounds check in multipart form data handling combined with a non-null terminated string leads to an attacker controlled stack overflow that can lead to RCE.
  • HTTP POST request handling heap overflow
    • A vulnerability in the handling of HTTP POST requests due to the Mocana NanoSSL library’s missing error checks leads to an attacker-controlled length heap overflow, which can lead to RCE. This vulnerability does not have a CVE because it was found in a discontinued Avaya product line, which means that no patch will be issued to fix this vulnerability, although Armis data shows that these devices can still be found in the wild.

Avaya devices affected by TLStorm 2.0:

  • ERS3500 series
  • ERS3600 series
  • ERS4900 series
  • ERS5900 series

Updates and mitigations

Aruba and Avaya collaborated with Armis on this matter, and customers were notified and patches were issued to address most of the vulnerabilities. To our knowledge, there is no indication that the TLStorm 2.0 vulnerabilities have been exploited.

Impacted Implementing Organizations Aruba devices should patch affected devices immediately with patches on the Aruba Support Portal here.

Organizations deploying affected Avaya devices should review the security advisories immediately on the Avaya Support Portal. here.

Armis customers can immediately identify the devices that are vulnerable in their environments and start remediation. To speak with an Armis expert and experience our award-winning unified security and asset visibility platform, click here.

research presentations

Armis experts will discuss TLStorm research during the following event:

Additional Resources

About Armis

Armis is the leading unified security and asset visibility platform designed to address the new threat landscape created by connected devices. Fortune 1000 companies rely on our real-time, continuous protection to see with full context all managed and unmanaged assets across IT, Cloud, IoT Devices, Medical Devices (IoMT), Operational Technology (OT), Industrial Control Systems (ICS) and 5G. Armis provides unparalleled passive cybersecurity asset management, risk management, and automated compliance. Armis is a private company based in Palo Alto, Calif.. To visit

Media contacts:
Dillon Township
Senior Director, Public and Media Relations
[email protected]

Logo –


Leave a Comment