Vulnerabilities found in widely-used Uninterruptible Power Supplies could allow attackers to bypass security features and remotely take over or damage critical industrial, medical, and enterprise devices
PALO ALTO, Calif. – March 8, 2022 – Armis, the leader in unified asset visibility and security, announced today the discovery of three zero-day vulnerabilities in APC Smart-UPS devices that can allow attackers to gain remote access. If exploited, these vulnerabilities, collectively known as TLStorm, allow threat actors to disable, disrupt, and destroy APC Smart-UPS devices and attached assets.
Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets in data centers, industrial facilities, hospitals, and more. APC is a subsidiary of Schneider Electric and is one of the leading vendors of UPS devices, with over 20 million devices sold worldwide.
“Until recently, assets, such as UPS devices, were not perceived as security liabilities. However, it has become clear that security mechanisms in remotely managed devices have not been properly implemented, meaning that malicious actors will be able to use those vulnerable assets as an attack vector,” said Barak Hadad, Head of Research, Armis. “It is vital that security professionals have complete visibility of all assets, along with the ability to monitor their behavior, to identify exploitation attempts of vulnerabilities such as TLStorm.”
Enterprise Risk Exposure
Armis researches and analyzes various assets to help security leaders protect their organizations from new threats. For this research, Armis investigated APC Smart-UPS devices and their remote management and monitoring services due to the widespread use of APC UPS devices in our customers’ environments. The latest models use a cloud connection for remote management. Armis researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack.
The discovered vulnerabilities include two critical vulnerabilities in the TLS implementation used by cloud-connected Smart-UPS devices and a third high-severity vulnerability, a design flaw, in which firmware upgrades of most Smart-UPS devices are not correctly signed or validated.
Two of the vulnerabilities involve the TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost. Attackers can trigger the vulnerabilities via unauthenticated network packets without any user interaction.
- CVE-2022-22805 – (CVSS 9.0) TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).
- CVE-2022-22806 – (CVSS 9.0) TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.
The third vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secure manner. As a result, an attacker could craft malicious firmware and install it using various paths, including the Internet, LAN, or a USB thumb drive. This modified firmware could allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network to launch additional attacks.
- CVE-2022-0715 – (CVSS 8.9) Unsigned firmware upgrade that can be updated over the network (RCE).
Abusing flaws in firmware upgrade mechanisms is becoming a standard practice of APTs, as has been recently detailed in the analysis of the Cyclops Blink malware, and improper signing of firmware is a recurring flaw in various embedded systems. For example, a previous vulnerability discovered by Armis in Swisslog PTS systems (PwnedPiper, CVE-2021-37160) resulted from a similar type of flaw.
“TLStorm vulnerabilities occur in cyber-physical systems that bridge our digital and physical worlds, giving cyberattacks the possibility of real-world consequences,” said Yevgeny Dibrov, CEO and Co-founder of Armis. “The Armis platform addresses this hyper-connected reality, where one compromised identity and device can open the door to cyberattacks, and the security of every asset has become foundational to protect business continuity and brand reputation. Our ongoing research secures organizations by providing 100% complete visibility of their IT, cloud, IoT, OT, IoMT, 5G, and edge assets.”
Updates and Mitigations
Schneider Electric worked in collaboration with Armis on this matter, and customers were notified and issued patches to address the vulnerabilities. To the best of both companies’ knowledge, there is no indication the TLStorm vulnerabilities have been exploited.
Organizations deploying APC Smart-UPS devices should patch impacted devices immediately. More information can be found in the Schneider Electric security advisory here.
Armis customers can immediately identify APC Smart-UPS devices that are vulnerable in their environments and begin remediation. To speak with an Armis expert and experience our award-winning agentless device security platform, click here.
Armis experts will discuss the TLStorm research during the following virtual and in-person events:
- Webinar (Wednesday, March 30, 1:00 p.m. EST): Lightning from the Cloud
- LinkedIn Live (Thursday, March 10, 2022, 12:00 p.m. EST): Lightning from the Cloud
- Nullcon Berlin 2022 (April 5-9, 2022) – Finding and Exploiting Critical Bugs in TLS Libraries used by “Smart” UPS Devices
- Black Hat Asia 2022 (May 10-13, 2022) – Like Lightning From the Cloud: Finding RCEs in an Embedded TLS Library and Toasting a Popular Cloud-connected UPS