Three security vulnerabilities, dubbed collectively as TLStorm, were discovered in APC Smart-UPS devices that would allow a remote attacker to access and control them in an unauthorized manner. Two of the vulnerabilities are related to faulty TLS handshakes between the device and the APC cloud, while the other relates to installing unsigned firmware upgrades on the device.
The two TLS handshake vulnerabilities include both a buffer overflow and an authentication bypass and are being tracked as CVE-2022-22805 and CVE-2022-22806, respectively. The unsigned firmware vulnerability is being tracked as CVE-2022-0715 and could allow an attacker to remotely install a malicious firmware upgrade to establish persistence on the infected system. Successful exploitation of any of these flaws could result in remote code execution on the device. This would allow an attacker to use the UPS device as a gateway for further attacks into a network or cause physical damage to the UPS by tampering with its operating settings. In one scenario, a researcher was able to exploit these vulnerabilities and tamper with the UPS’ settings causing a DC link capacitor in the device to burst, effectively destroying the device in a cloud of electrolyte gas.
Schneider Electric, the creators of the APC Smart-UPS devices, have released patches to fix these vulnerabilities in several devices and have provided mitigation steps for devices that do not have fixes yet.
Analyst Notes
It is recommended to update Smart-UPS devices to the latest version as soon as possible. The firmware versions that fix the vulnerabilities are available for the following devices:
• SMT series: UPS 04.6
• SMC series: UPS 04.3
For any other types of APC Smart-UPS devices, it is recommended to either disconnect network cables attached to the UPS or, if applicable, disable the SmartConnect feature. This will prevent the UPS from being accessible from the network, making the vulnerabilities not exploitable. Finally, it is recommended to make sure that ancillary devices, such as a UPS, are included in regular patching cycles. In the past, these types of devices have been commonly deployed into a network and forgotten about. However, with the inter-connectivity of modern devices to both the internal network and cloud-based systems, they are increasingly becoming more susceptible to remote vulnerabilities such as these. To prevent these vulnerabilities from being exploited, including these types of devices into a regular patching cycle is essential to help protect an organization.
https://thehackernews.com/2022/03/critical-bugs-could-let-attackers.html
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02
