Millions of APC Smart-UPS devices vulnerable to TLStorm
Critical vulns spotted in popular Schneider kit
If you're managing a smart model from ubiquitous uninterrupted power supply (UPS) device brand APC, you need to apply updates now – a set of three critical vulnerabilities are making Smart-UPS devices a possible entry point for network infiltration.
The vulnerabilities, dubbed TLStorm, were found in Schneider Electric's APC Smart-UPS products by security firm Armis, which made the info public on Tuesday.
The name stems from the Transport Layer Security (TLS) implementation in which two out of the three vulnerabilities were found.
The affected UPSes – ranging across 10 product lines listed here [PDF] – cater to small to medium businesses, providing backup power in emergency situations. A full list of models affected by the TLStorm vulnerabilities is available in Schneider Electric's own security advisory here [PDF]. We have asked Schneider how many of the affected Smart-UPS models have been sold and for details on any models that were not affected.
Schneider Electric said on its product page it has sold over 20 million units of its Smart-UPS brand, calling it an "ideal UPS for servers, point-of-sale, routers, switches, hubs and other network devices."
Potential weaponized power outages
According to Armis, a complete remote takeover via the internet of the equipment is possible, potentially without even any signs of an attack through remote code execution, as the devices are controlled through an exploitable cloud connection. Exploitation could result in weaponized power outages or surges of battery function affecting both the power supply and other connected systems, as well as theft of company data and the deployment of malware if the intruders are able to explore the network.
Such attacks have happened before. Notably, and topically, threat actors attacked the Ukrainian power grid in 2015. Alongside other actions, according to America's Cybersecurity and Infrastructure Security Agency at the time, the attackers scheduled disconnects for server UPS through its remote management interface, leading to a wide-scale power outage.
- IT blamed after HR forgets to install sockets in new office
- Russia mulls making software piracy legal and patent licensing compulsory
- Deere & Co won't give out software and data needed for repairs, watchdog told
- UK govt signs IT contracts 'without understanding' the needs
- Enterprise IT finds itself in a war zone – with no script
The vulnerabilities found by Armis stem from insecure connections established between the UPS and APC parent Schneider Electric's cloud via its SmartConnect feature. SmartConnect automatically establishes a TLS connection upon startup or whenever cloud connections are temporarily lost. The vulns require no human interaction to be exploited, though they do require that the attacker is able to meddle with a machine's network traffic and/or send it packets.
The three holes are:
- CVE-2022-22805: TLS buffer overflow: Memory corruption can occur during packet reassembly, which can be abused to execution arbitrary malicious code on the device, leading to its takeover
- CVE-2022-22806: TLS authentication bypass: This can be used to exploit the third flaw
- CVE-2022-0715: Firmware can be replaced over the network with malicious code without any authentication or cryptographic signature checks. Essentially, you cause the equipment to update the firmware with a binary you provide, and no checks are performed
The authentication bypass and buffer overflow are rated 9 out of 10 on the CVSS bug-severity scale. The third vulnerability is a design flaw, rated ever-so-minutely better than the two TLS vulnerabilities with an 8.9 bug severity.
"Schneider Electric is aware of the vulnerabilities associated with APC Smart-UPS uninterruptible power supply devices which, if compromised, may allow for potential unauthorized access and control of the device," said the manufacturer, adding that it was working to develop remediations and mitigations, as well as disclose to customers. Patches are also available.
Armis said there's no indication the flaws are being exploited in the wild. ®