Dangerous vulnerabilities have been found in APC Smart-UPS uninterruptible power supplies (UPS), united under the common name TLStorm. Their exploitation allows attackers to damage critical infrastructure.
APC is a subsidiary of Schneider Electric— one of the leading suppliers of UPS devices. UPS devices provide emergency backup power for mission-critical systems requiring high availability.
According to researchers from Armis Research Labs, three critical vulnerabilities in widely used “smart” UPS allow you to remotely seize control of the device, cause malfunctions in its operation, steal data, gain access to the company’s internal network and even cause physical damage.
“The latest APC Smart-UPS models are controlled via a cloud connection, and an attacker successfully exploiting TLStorm vulnerabilities can remotely control devices from the Internet without any interaction with the user or when the user does not even know about it,” experts warned.
Moreover, an attacker can use vulnerabilities to execute code on the device and change the operation of the UPS in order to physically damage the device itself or other devices connected to it.
Two vulnerabilities are related to incorrect error handling in the TLS connection between the UPS and the Schneider Electric cloud. TLS is a widespread security protocol designed to ensure the confidentiality and security of data in Internet communications. Devices that support the SmartConnect feature automatically establish this TLS connection at startup or whenever cloud connections are temporarily lost.
The first problem (CVE-2022-22805) is a TLS buffer overflow vulnerability and memory corruption during packet reassembly, which can lead to remote code execution. The second problem (CVE-2022-22806) is a TLS authentication bypass vulnerability, which is a confusion of states in the TLS handshake. Both vulnerabilities received a score of 9.0 out of the maximum 10 on the CVSS scale.
Vulnerabilities can be exploited using network packets that have not been authenticated, without any user interaction (zero-click).
The third vulnerability (CVE-2022-0715) was rated 8.9 points on the CVSS scale and is related to the fact that firmware updates on vulnerable devices are not signed securely from the point of view of cryptography. APC Smart-UPS firmware is encrypted with symmetric encryption, but does not have a cryptographic signature. This nuance allowed researchers to create malicious firmware that Smart-UPS devices perceived as official.
According to the researchers, in addition to applying fixes, there are other means of protection for TLStorm. In devices where clients use a Network Management Card (NMC), they can change the default NMC password (“apc”) and install an SSL certificate with an open signature. According to them, this will prevent an attacker from intercepting the new password.