Armis researchers have spotted three critical vulnerabilities in APC Smart-UPS systems, which if exploited can let an attacker disable power by remotely managing them.
Two of the three vulnerabilities relate to improper TLS connections, and the other is a firmware bug. These three are collectively called as TLStorm and are rated severe considering the wide usage of APC’s UPS systems in wild. Mitigations and patches for TLStorm are made available by APC.
Zero-Click Bugs in APC Smart-UPS
An uninterrupted power supply (UPS) is a system that’s used as an emergency power backup solution in most computer environments, where they should have a system running up all the time. Among the many, APC is a reputed brand supplying quality UPS devices to organizations in governmental healthcare, industrial, IT, and retail sectors.
Owned by Schneider Electric, APC has a lineup of Smart-UPS systems that connect to Schneider Electric management cloud through the SmartConnect feature. This is helpful for managing them remotely at times when needed, like updating firmware, supplying new features, and applying security patches.
But, researchers at Armis, a security solutions company for enterprise connected devices, found three critical issues in APC’s SmartConnect feature, available in most Smart-UPS families of products. Two of them are tracked as CVE-2022-22805 and CVE-2022-22806 and are related to improper implementation of TLS protocol.
While the third one is tracked as CVE-2022-0715 relating to the firmware of almost all the APC Smart-UPS devices. These together form as TLStorm and are said to be zero-click exploit bugs since they don’t need any interaction from the users’ end.
Researchers said they can intercept the TLS connection between Schneider Electric management cloud and APC Smart-UPS through a firmware authentication flaw, and pass a maliciously crafted firmware update to the targeted systems. This is accepted by the end UPS systems, which can let the attacker manage it remotely.
They also noted;
- The latest Smart-UPS devices featuring the SmartConnect cloud connection functionality can be upgraded from the cloud management console over the Internet
- Older Smart-UPS devices which use the Network Management Card (NMC) can be updated over the local network
- Most Smart-UPS devices can also be upgraded using a USB drive
Researchers have detailed their findings in a white paper, while APC has listed mitigation and updates as below, for fixing all these bugs in the concerned UPS devices;
- Install the patches available on the Schneider Electric website.
- If you are using the NMC, change the default NMC password (“apc”) and install a publicly-signed SSL certificate so that an attacker on your network will not be able to intercept the new password. To further limit the attack surface of your NMC, refer to the Schneider Electric Security Handbook for NMC 2 and NMC 3.
- Deploy access control lists (ACLs) in which the UPS devices are only allowed to communicate with a small set of managed devices and the Schneider Electric Cloud via encrypted communications.