[German]Vendor Armis has discovered three critical zero-day vulnerabilities in smart UPS from APC. The vulnerabilities, known as TLStorm, put more than 20 million enterprise devices attached to APC uninterruptible power supplies at risk. The vulnerabilities in widely used uninterruptible power supplies could enable attackers to bypass security measures and remotely take over or damage critical industrial, medical and enterprise equipment.
Advertising
APC Smart-UPS
Uninterruptible power supplies (UPS) such as APC Smart-UPS provide backup power for critical components (assets) in data centers, industrial facilities, hospitals and other areas. APC is a subsidiary of Schneider Electric and one of the world's leading UPS providers, with more than 20 million units sold worldwide.
3 Vulnerabilities in APC Smart-UPS
Armis (provider of an asset visibility and security platform) has discovered three zero-day vulnerabilities in APC Smart-UPS devices and has now made them public. These vulnerabilities allow attackers to gain remote access. If attackers exploit these vulnerabilities, known collectively as TLStorm, they could disable, compromise or destroy affected APC Smart UPS models and associated equipment.
"Until recently, assets such as UPS devices were not considered potential security risks. However, it has since become apparent that security mechanisms in remotely managed devices are not always properly implemented and malicious actors could misuse such vulnerable assets as an attack vector," said Barak Hadad, Head of Research at Armis. "Security professionals absolutely need a complete view of all assets and must be able to monitor their behavior to detect attempts to exploit vulnerabilities like TLStorm."
Risks for businesses
Armis investigates and analyzes assets of various types to help security managers protect their organizations from emerging threats. In the current case, Armis examined APC Smart UPS devices and their remote management and monitoring services, as APC UPS are widely used in Armis customers' environments.
The latest models use a cloud connection for remote management. As Armis security researchers discovered, an attacker abusing the TLStorm vulnerabilities could remotely control devices over the Internet – all without user interaction or signs of an attack.
Advertising
Two critical vulnerabilities were discovered in the TLS implementation of cloud-networked Smart-UPSs, as well as a third serious vulnerability – a design flaw that causes firmware upgrades of all Smart-UPS devices to be improperly signed or validated.
Vulnerabilities in the TLS connection
Two of the vulnerabilities affect the TLS connection between the UPS and the Schneider Electric Cloud. Devices that support the SmartConnect function automatically establish a TLS connection when they are started or if the cloud connection was temporarily interrupted. Attackers can trigger these vulnerabilities via unauthenticated network packets without requiring any user interaction.
- CVE-2022-22805 – (CVSS 9.0) TLS buffer overflow: a packet composition error (RCE).
- CVE-2022-22806 – (CVSS 9.0) TLS authentication bypass: A state error in the TLS handshake causes authentication to be bypassed.
This second vulnerability allows remote code execution (RCE) using a firmware upgrade over the network.
Third flaw as a design vulnerability
The third vulnerability is a design flaw that causes firmware updates on affected devices to not be cryptographically signed in a secure manner.
- CVE-2022-0715 – (CVSS 8.9) Unsigned firmware upgrade that can be updated over the network (RCE).
As a result, an attacker could create malicious firmware and install it in a variety of ways, such as over the Internet, a LAN, or a USB stick. This modified firmware could allow attackers to nestle on such UPS devices for the long term and use them as a bastion on the network from which to launch further attacks.
Attacks via upgrades common practice
That attackers (APTs) exploit vulnerabilities in firmware upgrade processes is becoming common, as described recently in the Cyclops Blink malware analysis (see Cyclops blink malware targets WatchGuard network firewalls). And firmware not being properly signed is a flaw that occurs repeatedly in embedded systems. For example, a vulnerability recently found by Armis in Swisslog's pneumatic tube systems (PwnedPiper, CVE-2021-37160) is based on a similar flaw (see also Schwachstellen in Swisslogic Healthcare Rohrpost-Software).
Updates and risk mitigation
Schneider Electric has been working with Armis on this issue. Customers have been notified and provided with patches that address the vulnerabilities. To the best of the two companies' knowledge to date, there is no indication that the TLStorm vulnerabilities have been exploited.
Companies using APC Smart UPS should patch the affected devices immediately. For more information, see Schneider Electric's security advisory at this link. Armis, of course, offers a matching agentless device security platform that can detect appropriately vulnerable smart UPSs from APC. More details can be found in this blog post.
