Security researchers have found several vulnerabilities affecting many models of APC Smart-UPS uninterruptible power supplies that could be exploited to take over the devices. UPS devices are used across many industries to keep mission-critical devices running in case of power loss.
“Two of these are remote code execution (RCE) vulnerabilities in the code handling the cloud connection, making these vulnerabilities exploitable over the Internet,” researchers from security firm Armis, who found the flaws, said in a report. The company has dubbed the vulnerabilities TLStorm because they’re located in the TLS implementation used in cloud-connected Smart-UPS devices.
APC, a division of Schneider Electric, is one of the market leaders for UPS devices. Its Smart-UPS line of products was launched in 1990 and the company estimates over 20 million units sold to date. Some of the newer models feature a technology called SmartConnect that makes them network enabled and allows users to monitor their status through cloud-based web portal and to issue firmware updates.
Three APC vulnerabilities exploitable without user interaction
“Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost,” the Armis researchers said. “Attackers can trigger the vulnerabilities via unauthenticated network packets without any user interaction.”
One of the flaws, tracked as CVE-2022-22805, is a buffer overflow memory corruption in the TLS packet reassembly, while another, CVE-2022-22806, is an authentication bypass due to a confusion in the TLS handshake that can allow attackers to perform rogue firmware upgrades over the network. Both flaws are rated 9.0 (critical) on the CVSS severity scale.
A third vulnerability, CVE-2022-0715, is described as a design flaw that stems from the lack of cryptographic signature verification for deployed firmware. This enables attackers to deploy maliciously modified firmware through the TLS vulnerabilities, but also through other firmware update paths such as LAN or an USB thumb drive.
Copyright © 2022 IDG Communications, Inc.
