The company warned that if exploited, these vulnerabilities, collectively known as TLStorm, will allow threat actors to disable, disrupt, and destroy APC Smart-UPS devices and attached assets.
Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets in data centres, industrial facilities, and hospitals. APC is a subsidiary of Schneider Electric and is a leading vendor of UPS devices, with over 20 million devices sold worldwide.
“Until recently, assets, such as UPS devices, were not perceived as security liabilities. However, it has become clear that security mechanisms in remotely managed devices have not been properly implemented, meaning that malicious actors will be able to use those vulnerable assets as an attack vector,” said Barak Hadad, Head of Research, Armis. “It is vital that security professionals have complete visibility of all assets, along with the ability to monitor their behaviour, to identify exploitation attempts of vulnerabilities such as TLStorm.”
Armis researchers looked at APC Smart-UPS devices and their remote management and monitoring services due to the widespread use of these devices. The latest models use a cloud connection for remote management and the researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack.
Two critical vulnerabilities in the TLS implementation used by cloud-connected Smart-UPS devices were found and a third high-severity vulnerability, a design flaw, in which firmware upgrades of all Smart-UPS devices are not correctly signed or validated.
Two of the vulnerabilities involve the TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection upon start-up or whenever cloud connections are temporarily lost. Attackers can trigger the vulnerabilities via unauthenticated network packets without any user interaction.
CVE-2022-22805 - (CVSS 9.0) TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).
CVE-2022-22806 - (CVSS 9.0) TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.
The third vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secure manner.
As a result, an attacker could craft malicious firmware and install it using various paths, including the Internet, LAN, or a USB thumb drive. This modified firmware could allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network to launch additional attacks.
CVE-2022-0715 - (CVSS 8.9) Unsigned firmware upgrade that can be updated over the network (RCE).
Abusing flaws in firmware upgrade mechanisms is becoming a standard practice of APTs, and improper signing of firmware is a recurring flaw in various embedded systems. For example, a previous vulnerability discovered by Armis in Swisslog PTS systems (PwnedPiper, CVE-2021-37160) resulted from a similar type of flaw.
“TLStorm vulnerabilities occur in cyber-physical systems that bridge our digital and physical worlds, giving cyberattacks the possibility of real-world consequences,” said Yevgeny Dibrov, CEO and Co-founder of Armis. “The Armis platform addresses this hyper-connected reality, where one compromised identity and device can open the door to cyberattacks, and the security of every asset has become foundational to protect business continuity and brand reputation. Our ongoing research secures organizations by providing 100% complete visibility of their IT, cloud, IoT, OT, IoMT, 5G, and edge assets.”
Schneider Electric worked in collaboration with Armis and customers were notified and issued patches to address the vulnerabilities. To the best of both companies' knowledge, there is no indication the TLStorm vulnerabilities have been exploited.
Organisations deploying APC Smart-UPS devices should patch impacted devices immediately.