TLStorm – a group of vulnerabilities found while implementing TLS(Transport Security Layer) in multiple models of network switches.
This unofficially named, TLStorm 2.0 – a similar one with three vulnerabilities while the TLStorm had five.
What is TLStorm ?
The root cause for these vulnerabilities was a misuse of NanoSSL, a well-known TLS library by Mocana.
By exploring further within NanoSSL library in network switches, Armis has discovered these new vulnerabilities in the implementation of TLS communications in multiple models of Aruba (acquired by HP) and Avaya (acquired by ExtremeNetworks) network switches.
Aftermath, if unattended
This newly found, exposes the vulnerabilities that could allow an attacker to take full control over these switches. The exploitation of these RCE (Remote Code Execution) vulnerabilities can lead to:
- Breaking of network segmentation, allowing lateral movement to additional devices by changing the behavior of the switch
- Data exfiltration of corporate network traffic or sensitive information from the internal network to the internet
- Captive portal escape
How Does it Works
The Uninterruptible Power Supply (UPS) devices, literally provides the uninterruptible back-up power for many sectors that may encounter catastrophe in a power disruption. Especially in the following areas,
- Server rooms
- Medical facilities
- OT/ICS environments
The latest APC Smart-UPS models are controlled through a Cloud connection. Indicating an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack.
The set of discovered vulnerabilities include two critical vulnerabilities in the TLS implementation used by Cloud-connected Smart-UPS devices,
- CVE-2022-22806 – TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.
- CVE-2022-22805 – TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).
The third vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secured manner. This will allow threat actors to establish lateral movements on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried.
- CVE-2022-0715 – Unsigned firmware upgrade that can be updated over the network (RCE).
These vulnerabilities can be triggered via unauthenticated network packets without any user interaction (Zero-Click attack). A Zero-Click attack, which allows access to a device without the user taking any action unlike the random phishing attacks.
For now, there are no reports of any exploitations in the TLStorm 2.0 vulnerabilities. This research made by the Armis Knowledgebase highlights the network infrastructure is exposed to attacks and the concept of network segmentation is not enough of a security measure.