Uninterruptible power supply (UPS) products made by Schneider Electric subsidiary APC are affected by critical vulnerabilities that can be exploited to remotely hack and damage devices, according to enterprise device security company Armis.
Armis researchers have identified three vulnerabilities in APC Smart-UPS devices, which they collectively named TLStorm.
APC says it has sold more than 20 million UPS devices worldwide and data from Armis shows that nearly 80% of companies are exposed to TLStorm attacks. UPS devices are used in data centers, hospitals and industrial facilities, and attacks targeting these systems can have serious consequences.
Armis researchers have analyzed the communications between the APC Smart-UPS devices and their remote management services, and discovered vulnerabilities in the TLS implementation and a design flaw related to firmware upgrades.
One security hole, tracked as CVE-2022-22806, has been described as a TLS authentication bypass issue that can lead to remote code execution. The second TLS-related flaw, CVE-2022-22805, has been described as a buffer overflow related to packet reassembly and it can also lead to remote code execution.
These vulnerabilities can be exploited remotely — including from the internet — by an unauthenticated attacker to “alter the operations of the UPS to physically damage the device itself or other assets connected to it,” Armis said.
The third vulnerability, CVE-2022-0715, is related to unsigned firmware updates. Due to the fact that firmware updates are not cryptographically signed, an attacker could create a malicious piece of firmware and install it from a USB drive, the network and even from the internet.
“This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried,” Armis explained.
In an effort to demonstrate the potential impact of these vulnerabilities, the cybersecurity firm has developed a proof-of-concept (PoC) exploit that causes a UPS’s internal circuitry to heat up until smoke comes out and the device becomes completely bricked.
“Since the TLS attack vector can originate from the Internet, these vulnerabilities can act as a gateway to the internal corporate network,” Armis said. “Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall. They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.”
In a security advisory released on Tuesday, Schneider Electric said the vulnerabilities, which have been classified as “critical” and “high severity,” impact SMT, SMC, SCL, SMX, SRT, and SMTL series products. The company has started releasing firmware updates that contain patches for these vulnerabilities. In the case of products for which firmware patches are not available, Schneider has provided a series of mitigations for reducing the risk of exploitation.
Related: Critical Vulnerability Can Be Exploited to Hack Schneider Electric’s Modicon PLCs
Related: Flaws in Pneumatic Tube System Can Facilitate Cyberattacks on North American Hospitals