A set of three critical zero-day vulnerabilities now tracked as TLStorm could allow hackers to take control of uninterruptible power supplies (UPS) from APC, a subsidiary of Schneider Electric.
The flaws affect APC Smart-UPS systems that are popular in a variety of business sectors, including government, healthcare, industrial, IT and retail.
UPSs act as emergency backup power solutions and are found in critical environments such as data centers, industrial facilities, hospitals.
Risk of physical impact
Researchers from Armis, a company providing security solutions for connected devices in enterprises, discovered the three issues in APC’s SmartConnect and Smart-UPS product family.
Two of the vulnerabilities, CVE-2022-22805 and CVE-2022-22806 are in the implementation of the Transport Layer Security (TLS) protocol that connects Smart-UPS devices with the “SmartConnect” feature to Schneider Electric’s management cloud.
The third, identified as CVE-2022-0715, relates to firmware of “virtually all APC Smart-UPS devices”, which is not cryptographically signed and its authenticity cannot be verified when installed on the system.
Although the firmware is encrypted (symmetric), it lacks a cryptographic signature, allowing hackers to create a malicious version of it and deliver it as an update to target UPS devices to achieve code execution remotely (RCE).
Armis researchers were able to exploit the flaw and create a malicious APC firmware version that was accepted by Smart-UPS devices as an official update, a process that unfolds differently depending on the target:
- The latest Smart-UPS devices with SmartConnect cloud connection functionality can be upgraded from the cloud management console via the Internet
- Older Smart-UPS devices that use the Network Management Card (NMC) can be updated over the local network
- Most Smart-UPS devices can also be upgraded using a USB flash drive
Considering that vulnerable APC UPSs are used in approximately eight out of 10 enterprises – according to data from Armis – and the sensitive environments they serve (medical facilities, ICS network, server rooms), the implications can have significant physical consequences. .
The TLS-related vulnerabilities discovered by Armis appear to be more severe because they can be exploited by an unauthenticated attacker without user interaction, in what is known as a no-click attack.
Both vulnerabilities are caused by improper handling of TLS errors in the TLS connection between the Smart-UPS and the Schneider Electric server, and they lead to remote code execution when properly exploited.
One of the security issues is an authentication bypass caused by “state confusion in the TLS handshake”, the other is a memory corruption bug.
In a blog post today, Armis shows how the vulnerabilities could be exploited by a remote malicious actor:
The researchers’ report explains the technical aspects of the three TLStorm vulnerabilities and provides a set of recommendations for securing UPSs:
- Install the patches available on the Schneider Electric website
- If you are using NMC, change the default NMC (“apc”) password and install a publicly signed SSL certificate so that an attacker on your network cannot intercept the new password. To further limit the attack surface of your NMC, refer to the Schneider Electric Security Manual for NMC 2 and NMC 3.
- Deploy Access Control Lists (ACLs) where UPSs are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications.
Armis has also published a technical white paper with all the details of the research.