Three vulnerabilities in ubiquitous APC Smart-UPS (uninterruptible power supply) devices could allow remote attackers to use them as an attack vector, disable or completely destroy them, Armis researchers have discovered.
The vulnerable devices, developed by Schneider Electric subsidiary APC, are used all around the globe to provide emergency backup power for critical physical infrastructure (industrial facilities, hospitals, energy suppliers, data centers, etc.)
The vulnerabilities in APC Smart-UPS devices
The three vulnerabilities (CVE-2022-22805, CVE-2022-22806, and CVE-2022-0715) have collectively been dubbed TLStorm.
“The latest APC Smart-UPS models are controlled through a Cloud connection. Armis researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack. As a result, attackers can perform a remote-code execution (RCE) attack on a device, which in turn could be used to alter the operations of the UPS to physically damage the device itself or other assets connected to it,” the researchers noted.
CVE-2022-22806 is a TLS authentication bypass and CVE-2022-22805 a TLS buffer overflow that could be can be triggered via unauthenticated network packets without any user interaction.
They can allow an attacker to intercept the TLS connection to the Schneider Electric/APC cloud — be it in the internal network using MITM or through the internet using DNS poisoning or any other method – and “impersonate” the Schneider Electric cloud to push a maliciously crafted firmware on target devices.
“[CVE-2022-0715] is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secure manner. This means an attacker could craft malicious firmware and install it using various paths, including the Internet, LAN, or a USB thumb drive,” the researchers explained.
“This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried.”
What’s more, a malicious firmware update may also allow the attackers to fiddle with the UPS device’s CPU that is responsible for the conversion of the DC that is coming out of the battery to the AC that the UPS supplies on the output, and cause it to heat up the internal circuitry until it’s fried, effectively destroying the UPS.
The attackers could also change the output of the UPS to the devices that rely on the power.
Remediation and risk mitigation
More technical details about the vulnerabilities are available in Armis researchers’ post. They also provided advice on securing the UPS devices.
Schneider Electric has released a security advisory detailing affected products and versions and remediation and risk mitigation instructions.
“UPS devices, like many other digital infrastructure appliances, are often installed and forgotten. Since these devices are connected to the same internal networks as the core business systems, exploitation attempts can have severe implications,” the researchers added.
Barak Hadad, Head of Research at Armis, told Help Net Security that since a firmware upgrade requires some downtime in some of the models, Schneider Electric/APC cannot risk pushing patches/updates on the connected devices without the customers’ say-so, so they should patch on their own.
“Besides that, there are multiple mitigations that users can deploy that mitigate the risk significantly,” he added.
UPDATE (March 30, 2022, 06:20 a.m. PT):
“The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords,” CISA recently noted, and released advice for organizations to mitigate attacks against UPS devices.