Researchers have uncovered five critical vulnerabilities in the implementation of Transport Layer Security in network switches used in millions of enterprises, dubbed as TLStorm 2.0, a sequel to three vulnerabilities found in APC Smart-UPS last year, the new vulnerabilities steam from a similar design flaw.
Native TLStorm allowed an attacker to gain control of Smart-UPS devices from the internet with no user interaction, resulting in the UPS overloading and eventually destroying itself in a cloud of smoke. The cause for these vulnerabilities was a misuse of NanoSSL, a popular TLS library by Mocana.
Mocana NanoSSL library has been used in many devices notably from Aruba Networks and Avaya. Network switches may differ from UPS devices in function and levels of trust within the network, but the underlying TLS implementation issues are described as allowing for devastating consequences.
TLStorm 2.0 vulnerabilities could allow an attacker to take complete control over network switches. Attacks exploiting the vulnerabilities include the potential of lateral movement to additional devices by changing the behavior of the switch; data exfiltration of corporate network traffic or sensitive information from the internal network to the internet; and captive portal escape.
Captive portals are used to present a login page that may require authentication, payment, or other valid credentials that both the host and user agree upon. Once attackers control the switch, they can disable the captive portal altogether and move laterally to the corporate network.
The affected Aruba devices include the 5400R Series as well as the 3810, 2920, 2930F, 2930M, 2530, and 2540. Affected Avaya devices include the ERS3500 Series along with the ERS3600, ERS4900, and ERS5900.
These issues have been notified to the customers and patchers released to address most of the vulnerabilities. The researchers note that to the best of their knowledge, TLStorm 2.0 vulnerabilities have not yet been exploited. Users of affected devices are encouraged to patch them if they have not done so already.