Armis Finds Vulnerabilities in Network Switches from Avaya, Aruba

Threat actors could shut down entire systems and cause widespread business disruption.

Edward Gately, Senior News Editor

May 3, 2022

3 Min Read
Network Switches

Armis has discovered five vulnerabilities, known as TLStorm 2.0, in numerous models of network switches manufactured by Avaya Networking and Aruba.

Extreme Networks acquired Avaya Networking in 2017 and HPE acquired Aruba in 2015. Armis has found that both vendors have switches vulnerable to remote code execution (RCE) vulnerabilities that bad actors can  exploi over the network.

These vulnerabilities could allow attackers to take full control over common network equipment and gain access to everything in the environment.

If threat actors exploit the vulnerabilities, they could move laterally across networks. They could also shut down entire systems and cause widespread business disruption.

Vulnerabilities Similar to TLStorn

The vulnerabilities stem from a similar design flaw identified in the TLStorm vulnerabilities in APC Smart-UPS devices. Armis discovered those earlier this year. The new vulnerabilities expand the reach of TLStorm to potentially millions of additional enterprise-grade network infrastructure devices.

Barak Hadad is Armis‘ head of research.


Armis’ Barak Hadad

“The vulnerabilities for all three vendors (APC, Aruba and Avaya) are caused by the same misuse of an external library known as NanoSSL by Mocana,” he said. “This means that completely different developers, working on completely different codebases, made the same mistake.”

Organizations often treat network segmentation as a bulletproof security mechanism, Hadad said.

“The TLStorm 2.0 vulnerabilities in switches show that network segmentation is not enough to protect important segments of the network,” he said.

Armis isn’t aware of vulnerability exploits in the wild, Hadad said.

Captive portals are commonly used to present a EULA, or a login page that may require authentication, payment or other valid credentials that both the host and user agree to adhere to,” he said.

Organizations use captive portals for a broad range of mobile and pedestrian broadband services, Hadad said. Those include cable, and commercially provided Wi-Fi and home hotspots.

In addition, a captive portal can provide access to enterprise or residential wired networks. Those include apartment houses, hotel rooms and business centers.

Patches Available for Most of the Vulnerabilities

Aruba and Avaya collaborated with Armis on this matter. The companies notified customers and issued patches to address most of the vulnerabilities. Organizations deploying impacted Aruba devices should patch impacted devices immediately with patches in the Aruba Support Portal.

When contacted, Extreme Networks sent us the following statement:

“Extreme Networks has issued BOSS 7.9.2 firmware update, which includes fixes to the stated vulnerability. This update is available for all ERS platform customers.”

HPE sent us the following statement:

“HPE is aware of this issue, which impacts a limited number of switch models and firmware versions, and is working on a firmware update to address it. In the interim, we are advising customers using affected products to implement firewall controls to protect themselves. We are not aware of any exploitation of this vulnerability involving Aruba customers.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like