APC UPS zero-day bugs can burn out devices remotely, cut power

A set of three critical zero-day vulnerabilities that are now being tracked because TLStorm could give hackers control over Uninterruptible Power Supply (UPS) devices owned by APC, a subsidiary of Schneider Electric.

The flaws affect APC Smart-UPS systems that are popular in a variety of business sectors, including government, healthcare, industrial, IT and retail.

UPS devices act as emergency power backup solutions and are present in mission critical environments such as data centers, industrial facilities, hospitals.

Risk of physical impact

Researchers at Armis, a company that provides security solutions for enterprise connected devices, have identified the three issues in APC’s SmartConnect and Smart-UPS family of products.

Two of the vulnerabilities, CVE-2022-22805 and CVE-2022-22806, are in the implementation of the Transport Layer Security (TLS) protocol that connects the Smart-UPS devices with the “SmartConnect” feature to the Schneider Electric management cloud.

The third, identified as CVE-2022-0715, relates to the firmware of “almost all APC Smart-UPS devices”, which is not cryptographically signed and cannot be authenticated when installed on the system.

Although the firmware is encrypted (symmetric), it lacks a cryptographic signature, allowing threat actors to create a malicious version of it and deliver it as an update to target UPS devices to achieve Remote Code Execution (RCE).

Armis researchers were able to exploit the flaw and build a malicious APC firmware version that was accepted by Smart-UPS devices as an official update, a process that runs differently depending on the target:

The latest Smart-UPS devices with the SmartConnect cloud connectivity functionality can be upgraded from the cloud management console over the Internet Older Smart-UPS devices that use the Network Management Card (NMC) can be upgraded over the local network Most Smart-UPS devices can also be upgraded with a USB drive

Given that vulnerable APC UPS units are used in about eight out of 10 companies – according to data from Armis – and the sensitive environments they serve (medical facilities, ICS network, server rooms), the implications could have significant physical consequences.

The TLS-related vulnerabilities that Armis discovered appear to be more serious because they can be exploited by an unauthenticated attacker without user intervention, in what is known as a zero-click attack.

†[CVE-2022-22806 and CVE-2022-22805] relate to the TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection on startup or when cloud connections are temporarily lost” – Armis Labs

Both vulnerabilities are caused by incorrect TLS error handling in the TLS connection from the Smart-UPS to the Schneider Electric server, and if used correctly, lead to remote code execution.

One of the vulnerabilities is an authentication bypass caused by “state confusion in the TLS handshake”, the other is a memory corruption bug.

In a blog post today, Armis shows how the vulnerabilities can be exploited by a third-party threat actor:

Recommendations for mitigation

The researchers’ report explains the technicalities for all three TLStorm vulnerabilities and provides a set of recommendations for protecting UPS devices:

Install the available patches from the Schneider Electric website. If you are using the NMC, change the default NMC password (“apc”) and install a publicly signed SSL certificate so that an attacker on your network cannot intercept the new password . To further reduce the attack surface of your NMC, refer to the Schneider Electric Security Handbook for NMC 2 and NMC 3. Implement access control lists (ACLs) in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications .

Armis has also published a technical white paper detailing all the details of the investigation.

This post APC UPS zero-day bugs can burn out devices remotely, cut power

was original published at “https://www.bleepingcomputer.com/news/security/apc-ups-zero-day-bugs-can-remotely-burn-out-devices-disable-power/”