Armis discovers three critical zero-day gaps in APC’s smart-UPS
Armis, the leading provider of a unified platform for asset visibility and security, today announced the discovery of three zero-day vulnerabilities in APC smart-UPS devices that allow attackers to gain remote access. If attackers exploit these vulnerabilities, which are grouped under the name TLStorm, they could disable, compromise or destroy the affected APC smart-UPS models and the associated assets.
The vulnerabilities in widespread uninterruptible power supplies could enable attackers to bypass security measures and remotely take over or damage critical industrial, medical and corporate devices
Uninterruptible power supplies (UPS) such as the APC Smart-UPS ensure an emergency power supply for critical assets in data centers, industrial plants, hospitals and other areas. APC is a subsidiary of Schneider Electric and one of the world’s leading UPS suppliers with over 20 million units sold.
Barak Hadad, Head of Research at Armis
“Until recently, assets such as UPS devices were not considered potential security risks. However, it has now become clear that security mechanisms are not always properly implemented in remotely managed devices, and malicious actors could abuse such vulnerable assets as an attack vector,” explains Barak Hadad, Head of Research at Armis . “It is essential for security experts to have a complete overview of all assets and to be able to monitor their behavior so that they can detect attempts to exploit security vulnerabilities such as TLStorm.“
Risks for companies
Armis examines and analyzes assets of various types to help security managers protect their companies from new threats. In the current case, Armis examined smart-UPS devices from APC and their remote management and monitoring services, as UPS from APC are often used in the environments of Armis customers. The latest models use a cloud connection for remote management. As the Armis security researchers found out, an attacker abusing the TLStorm vulnerabilities could remotely control devices over the Internet – without any user interaction or signs of an attack.
Two critical vulnerabilities in the TLS implementation of cloud-connected smart-UPS and a third serious vulnerability were discovered – a design flaw that causes the firmware upgrades of all smart-UPS devices to be incorrectly signed or validated.
Two of the gaps concern the TLS connection between the UPS and the Schneider Electric Cloud. Devices that support the SmartConnect function automatically establish a TLS connection when they are started or if the cloud connection was temporarily interrupted. Attackers can trigger these vulnerabilities via unauthenticated network packets without requiring any user interaction.
- CVE-2022-22805 – (CVSS 9.0) TLS buffer overflow: A memory error in packet composition (RCE).
- CVE-2022-22806 – (CVSS 9.0) TLS Authentication Bypass: A state error during the TLS handshake causes the authentication to be bypassed. This allows remote code execution (RCE) using a firmware upgrade over the network.
The third vulnerability is a design flaw that causes the firmware updates on the affected devices to not be cryptographically signed in a secure way. As a result, an attacker could create a malicious firmware and install it in various ways, for example, via the Internet, a LAN or a USB flash drive. This modified firmware could allow attackers to establish themselves on such UPS devices in the long term and use them as a bastion in the network to carry out further attacks from there.
- CVE-2022-0715 – (CVSS 8.9) Unsigned firmware upgrade that can be updated over the network (RCE).
It is becoming increasingly common for APTs to exploit vulnerabilities in firmware upgrade processes, as recently described in the analysis of the Cyclops Blink malware. And the fact that firmware is not signed properly is an error that occurs again and again in embedded systems. For example, a vulnerability that Armis had recently found in Swisslog’s pneumatic tube systems (PwnedPiper, CVE-2021-37160) is based on a similar bug.
Yevgeny Dibrov, CEO and Co-Founder of Armis
“The TLStorm vulnerabilities affect cyber-physical systems that connect our digital and our physical world. Therefore, corresponding cyberattacks could also have an impact on the real world“” emphasizes Yevgeny Dibrov, CEO and Co-Founder of Armis. “Armis’ platform addresses this hyperconnected reality: a reality in which a single compromised identity and a single compromised device can open the door to cyberattacks, and the security of each individual asset has become a prerequisite for maintaining business continuity and brand reputation. Our ongoing research enables us to protect companies by giving them a one hundred percent view of all their IT, cloud, IoT, OT, IoMT, 5G and Edge assets.“
Updates and risk reduction
Schneider Electric has collaborated with Armis on this matter. The customers were notified and supplied with patches that fix the vulnerabilities. To the best of the knowledge of the two companies, there is no indication that the TLStorm vulnerabilities have been exploited.
Companies using smart-UPS from APC should patch the affected devices immediately. For more information, see the Schneider Electric Safety Recommendation at this link.
Armis customers can immediately identify vulnerable APC smart-UPS in their environments and take remedial action. If you would like to talk to an Armis expert and get to know our award-winning agentless Device Security platform, please click here.
Presentation of research results
Experts from Armis will discuss the research results on TLStorm at the following virtual and face-to-face events: