Three zero-day vulnerabilities identified in Schneider Electric’s APC brand uninterruptible power supplies (UPS) could allow an attacker to not only gain a foothold on the unit’s network, but even potentially “disable, disrupt and destroy” the UPS and attached assets. More than 20 million devices are affected.
The trio of vulnerabilities was dubbed “TLStorm” by the researchers at IoT security company Armis that discovered it. The exploits come, said Armis head of research Barak Hadad, in a time when even the least likely of devices has an internet connection that turns it into a potential threat.
“Until recently, assets, such as UPS devices, were not perceived as security liabilities. However, it has become clear that security mechanisms in remotely managed devices have not been properly implemented, meaning that malicious actors will be able to use those vulnerable assets as an attack vector,” Hadad said.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Armis said it was looking at APC Smart-UPS vulnerabilities as part of its bid to further understand the threat posed by various internet-connected assets. Because of their widespread use in its customer’s environments, APC Smart-UPS units were an obvious choice.
How your APC UPS could be compromised
Armis researchers found three separate zero-day vulnerabilities in APC Smart-UPS units, each of which has its own CVE number:
- A TLS buffer overflow (CVE-2022-22805)
- A TLS authentication bypass (CVE-2022-22086)
- An unsigned firmware bug (CVE-2022-0715)
Both TLS exploits are triggered using unauthenticated network packets, while the third requires the attacker to craft a malicious firmware update triggering its installation via the internet, a LAN connection or using a thumbdrive. This is possible because the affected devices don’t have their firmware updates cryptographically signed in a secure way.
Armis notes that the abuse of firmware upgrade mechanisms is “becoming a standard practice of APTs,” and has already been documented in previous attacks. Modified firmware updates are a method attackers use to establish persistence, Armis said, and on a device as unnoticed as a UPS it gives the attacker a chance to build a stronghold.
Protecting your networks from TLStorm
With over 20 million affected devices, it’s a good idea to take the time now to assess whether or not your APC UPS units are affected. Schneider Electric said in a security advisory that SMT, SMC, SMX, SCL, SMTL and SRT series of devices are affected, and gave additional details on identifying your models and firmware version.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
If your devices are affected, it’s essential that you upgrade their firmware as soon as possible. Both Schneider Electric and Armis said there’s no evidence that these vulnerabilities have been exploited, but now that they’ve been disclosed expect attackers to start using them and act accordingly.