TLStorm 2.0 – Airports, Hotels, and Enterprises at Risk to New Vulnerabilities

May 5, 2023

Research by Armis Security Services has revealed five critical vulnerabilities in a range of network switches collectively known as TLStorm 2.0. Despite rigorous security measures and policies, hackers can still breach through.

These flaws, which could grant remote code execution (RCE) over millions of devices, arise from shortcomings in a popular TLS library called NanoSSL. They were first discovered in APC Smart-UPS devices back in March.

1. Captive Portal Escape

Captive portals are web pages that enable network administrators to impose limits on internet access by requiring users to verify their identity, accept an acceptable use policy (AUP), and/or log in. They’re commonly used at airports, hotels, business centers and mobile operators in order to manage bandwidth consumption, protect against cybercrime and monitor user behavior.

Captive portal authentication is a security measure designed to prevent unauthorized users from accessing the network and can be employed both wireless and wired guest networks. It has the capacity to verify users with social media credentials or other credentials, enforce an idle and hard timeout period on their session, control bandwidth consumption, or limit how many devices can connect simultaneously to the internet.

Some captive portals allow users to register or log in using their social media accounts, enabling businesses to segment customer contact databases based on demographics and behaviors. This data can be utilized for sending more tailored marketing messages and decreasing churn rates.

Another key advantage of captive portals is their ability to control access to the internet by granting or denying specific websites and resources to guest users. Administrators have complete control over this process through whitelisting and blacklisting URLs, which they can customize according to what kind of internet access they want guests to have.

It is essential to be aware that public Wi-Fi networks often feature captive portals and are vulnerable to security breaches and Man-in-the-Middle (MitM) attacks, meaning if a hacker gains control of a device connected to such a network, they can take direct control of it. Furthermore, hackers have the capability to bypass firewalls and other network equipment, leaving your laptop, tablet, or smartphone at risk.

Fortunately, there are several solutions to this issue, one of which can be configured on Zenarmor OPNsense next-generation firewall. It utilizes channel bonding technology to combine multiple internet connections simultaneously, making it faster and more dependable than other VPNs. Furthermore, Zenarmor OPNsense can block malicious websites and prevent phishing scams.

2. Network Segmentation Breaking

TLStorm 2.0 bugs affect network switches manufactured by Avaya and Aruba, which link computers, printers, and other devices together. If exploited, these vulnerabilities could allow malicious individuals to break into these devices, steal data, and gain access to more machines than previously possible.

This vulnerability could also allow hackers to transition from a guest virtual local area network (VLAN) into the corporate VLAN, giving them access to the core switch and control over traffic between all network segments.

This poses a significant security risk, as attackers could lateral through an organization’s entire network and cause extensive harm. To combat this threat, organizations are implementing network segmentation to bolster their defenses against such lateral movement.

Network segmentation is a popular method companies use to separate certain applications and endpoints from others. This helps guarantee only authorized, vetted users have access to sensitive information, while meeting compliance regulations and reducing the risk of data loss or leaks.

Another advantage of network segmentation is its ease of monitoring traffic across the network. Administrators can quickly spot suspicious activity and activity, log events and record connections that have been approved or denied – decreasing the chance that IT staff will miss a threat and improving performance at the same time.

Network segmentation is an essential step in many businesses’ cybersecurity plans, yet it must be implemented properly – particularly when it comes to preventing third-party risk exposure.

Network administrators generally should never grant untrusted users full access to their organization’s network. The only exception would be if an administrator has specifically granted that user permission to access a specific part of the network or has created a special portal with specific permissions.

It is essential to avoid granting access to multiple network segments without properly monitoring their security. Doing so could pose a major risk of unauthorized entry, particularly in multi-cloud environments.

3. Remote Code Execution (RCE)

TLStorm 2.0, a group of vulnerabilities in an established TLS library, could allow malicious actors to break into network switches used by businesses, schools and hospitals around the world. These devices link individual computers and servers, printers and other peripherals to networks.

Injection and deserialization attacks can be used to remotely execute code on compromised machines. Injection involves using malicious user input to alter the interpreted code, while deserialization takes advantage of an error in how applications convert data into a format usable by programs.

Another popular RCE attack involves using a buffer overflow to gain access to memory and execute malicious code on vulnerable computers. This can be accomplished either through hackers stealing passwords and logging in manually, or using malware that automatically runs on the target machine.

RCE vulnerabilities can be detected and prevented with effective patch management, vulnerability testing and network monitoring. But they’re not just a concern for IT departments; it’s the responsibility of every employee to keep their machines and data secure.

Remote Code Execution is a serious threat in the world of cyber security. It can be used to steal information, alter permissions and encrypt or destroy files. A 2017 ransomware attack known as “WannaCry” spread rapidly due to an RCE vulnerability in the Server Message Block Protocol which enabled attackers to encrypt files and access them.

The initial step to preventing RCE attacks is patching any vulnerabilities that allow an attacker access. Next, implement firewall controls on your network and sanitize user input as much as possible.

Dynamic code execution (DCE) is the most prevalent cause of RCE attacks, as many programming languages generate code based on information supplied by the client. If an attacker knows their feedback will be used in code generation, they can leverage this to gain remote code execution access and complete control over an application.

RCE can be performed via several methods, the two most widespread being injection and deserialization attacks. An injection attack modifies interpreted code with malicious code which can then be compiled by a decoder. Injection may take place through Structured Query Language (SQL), dependency injection or Lightweight Directory Access Protocol injection.

4. Heap Overflow

If you’ve read any book on security, chances are you’ve encountered the term “buffer overflow.” In essence, this is a straightforward exploitation technique where a program uses its memory to write extra data to the end of a buffer. When this occurs, the program loses control over its own memory, giving an attacker access to code running with system privileges.

Buffer overflows come in two varieties, stack-based and heap-based. Stack-based overflows are the most widespread type of exploitable buffer overflow, since they use return addresses located within data areas that can be modified to launch an attack.

Heap-based overflows, however, are much harder to exploit. They involve corrupting data stored on the heap – that area of memory dynamically allocated at runtime that contains program data – rather than in memory itself.

To take advantage of a heap-based overflow, an attacker must first create an array large enough to store all extra data. After having this array, they must then find a way to overwrite it with that new data.

A heap overflow differs from a stack overflow in that it requires the attacker to overwrite a function pointer – which is much more challenging and ineffective than simply changing return addresses on the stack. This is because a heap overflow often involves corruption of the memory allocation linkage between an object and its pointer (called malloc metadata).

Attackers then need to replace the pointer with their own code. They can do this in several ways, but one common method is by replacing a pointing to another memory location with their own custom program.

This process can be complex and usually necessitates additional code to make it run, but it is achievable. Furthermore, the attacker needs to have access to memory in order to retrieve the array and then call its associated function.

Heap overflows are a relatively recent vulnerability that may be difficult to detect because they require first corrupting an object in order to overwrite it. Fortunately, there are defenses in place to protect against these vulnerabilities.

Ammar Fakhruddin

ABOUT AUTHOR

Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.


Data Security Through Data Literacy

Data Security Through Data Literacy

Unlocking data security through data literacy. Explore the pivotal role of understanding data in fortifying cybersecurity measures. Data is now pervasive, and it is important for people to understand how to work with this information. They need to be able to interpret...

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle Drops Malware

Trojan Rigged Tor Browser Bundle drops malware. Stay vigilant against cybersecurity threats, and secure your online anonymity with caution. Threat actors have been using Trojanized installers for the Tor browser to distribute clipboard-injector malware that siphons...

Siri Privacy Risks: Unveiling the Dangers

Siri Privacy Risks: Unveiling the Dangers

Unveiling Siri privacy risks: Understand the potential dangers and take steps to enhance your digital assistant's security. Siri is a great piece of technology, but it can also be dangerous to users’ privacy. This is a serious issue that should be addressed....

Recent Case Studies

Press Releases

News & Events

Solutions

Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing

Resources

Blog

About Us