Armis researchers have found three vulnerabilities in APC Smart-UPS devices; they call the vulnerabilities collectively TLStorm.
APC stated it had sold more than 20 million UPS devices globally; Armis shared data that points to 80% of companies being vulnerable to TLStorm attacks. Hospitals and industrial facilities use UPS devices, and attacks targeting them can be catastrophic.
Armis researchers assessed the communications between the APC Smart-UPS devices and their remote management services and identified vulnerabilities in the TLS implementation and a structural flaw concerning firmware upgrades.
One vulnerability, tracked CVE-2022-22806, has been reported as a TLS authentication circumventing issue that can allow the execution of code remotely. The second TLS-related law, CVE-2022-22805, has been described as a buffer overflow linked to packet reassembly, and it can also allow the execution of code remotely.
An unauthorized attacker—even over the internet—can exploit the vulnerabilities remotely to “alter the operations of the UPS to physically damage the device itself or other assets connected to it,” Armis said.
The third vulnerability, CVE-2022-0715, is regarding unsigned firmware updates. As the firmware updates are not cryptographically signed, an attacker can create a malicious piece of firmware and install it through a USB drive, the network and the internet
“This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried,” Armis explained.
To illustrate the potency of these vulnerabilities, the cybersecurity firm has made a proof-of-concept (PoC) exploit that results in a UPS’s internal circuitry to heat up until smoke rolls out and the devices become bricked.
“Since the TLS attack vector can originate from the Internet, these vulnerabilities can act as a gateway to the internal corporate network,” Armis said. “Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall. They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.”
Schneider Electric stated in a security advisory that the vulnerabilities fall in the category of “critical” and “high severity” and impact SMT, SMC, SCL, SMX, SRT, and SMTL series products. The company has started rolling out firmware updates that have patches for these vulnerabilities. Schneider has listed a series of mitigation techniques to prevent the attacks for products that don’t have security updates.