APC UPS zero-day vulnerabilities may remotely burn out equipment and deactivate power.
A collection of three significant zero-day vulnerabilities known as TLStorm might let hackers take control of APC, a subsidiary of Schneider Electric, uninterruptible power supply (UPS) systems.
The issues impact APC Smart-UPS systems, which are used in a range of activity areas such as government, healthcare, industrial, information technology, and retail.
UPS units provide emergency power backup in mission-critical situations such as data centers, industrial facilities, and hospitals.
Physical impact danger
Armis, a startup that provides security solutions for connected devices in companies, discovered the three flaws in APC’s SmartConnect and Smart-UPS product families.
CVE-2022-22805 and CVE-2022-22806 are flaws in the implementation of the TLS (Transport Layer Security) protocol, which links Smart-UPS equipment with the “SmartConnect” function to the Schneider Electric management cloud.
The third, CVE-2022-0715, affects the firmware of “nearly all APC Smart-UPS devices,” which is not cryptographically signed and cannot be checked when loaded on the system.
While the firmware is encrypted (symmetric), it lacks a cryptographic signature, allowing threat actors to develop a malicious version and distribute it as an update to target UPS machines in order to gain remote code execution (RCE).
Armis researchers were able to exploit the issue and create a rogue APC firmware version that was approved as a legitimate upgrade by Smart-UPS units, a procedure that differed depending on the target:
- The newest Smart-UPS equipment with the SmartConnect cloud connection feature may be updated through the Internet via the cloud management panel.
- Older Smart-UPS machines that employ the Network Management Card (NMC) can be upgraded through the local network.
- A USB drive may also be used to upgrade most Smart-UPS units.
Given that susceptible APC UPS units are utilized in around eight out of ten businesses, according to Armis’s research, and the sensitive settings they service (medical facilities, ICS networks, server rooms), the implications can have serious physical effects.
The TLS-related vulnerabilities revealed by Armis appear to be more serious since they may be exploited by an unauthenticated attacker without requiring user involvement, a technique known as a zero-click attack.
“[CVE-2022-22806 and CVE-2022-22805] are vulnerabilities in the TLS connection between the UPS and the Schneider Electric cloud.” SmartConnect-enabled devices automatically establish a TLS connection upon startup or if cloud connections are temporarily lost.” – Armis Laboratories
Both vulnerabilities are triggered by incorrect TLS error handling in the TLS connection from the Smart-UPS to the Schneider Electric server, and when correctly exploited, they lead to remote code execution.
One security flaw is an authentication bypass caused by “state misunderstanding in the TLS handshake,” while the other is a memory corruption fault.
Armis explains how a remote threat actor may exploit the vulnerabilities in a blog post today:
Recommendations for mitigation
The article by the researchers details the technical characteristics of all three TLStorm vulnerabilities and offers a series of suggestions for securing UPS devices:
- Install the fixes from Schneider Electric’s website.
- If you use the NMC, change the default NMC password (“apc”) and install a publicly-signed SSL certificate to prevent an attacker on your network from intercepting the new password. Refer to the Schneider Electric Security Handbook for NMC 2 and NMC 3 to further minimize your NMC’s attack surface.
- Deploy access control lists (ACLs) that restrict UPS units to communicating with a limited group of managed devices and the Schneider Electric Cloud over encrypted communications.