Three security vulnerabilities, dubbed collectively as TLStorm, were discovered in APC Smart-UPS devices that would allow a remote attacker to access and control them in an unauthorized manner. Two of the vulnerabilities are related to faulty TLS handshakes between the device and the APC cloud, while the other relates to installing unsigned firmware upgrades on the device.
The two TLS handshake vulnerabilities include both a buffer overflow and an authentication bypass and are being tracked as CVE-2022-22805 and CVE-2022-22806, respectively. The unsigned firmware vulnerability is being tracked as CVE-2022-0715 and could allow an attacker to remotely install a malicious firmware upgrade to establish persistence on the infected system. Successful exploitation of any of these flaws could result in remote code execution on the device. This would allow an attacker to use the UPS device as a gateway for further attacks into a network or cause physical damage to the UPS by tampering with its operating settings. In one scenario, a researcher was able to exploit these vulnerabilities and tamper with the UPS’ settings causing a DC link capacitor in the device to burst, effectively destroying the device in a cloud of electrolyte gas.
Schneider Electric, the creators of the APC Smart-UPS devices, have released patches to fix these vulnerabilities in several devices and have provided mitigation steps for devices that do not have fixes yet.