TLStorm: Three Critical Vulnerabilities Affecting APC Smart-UPS Devices

Armis security researchers recently announced that they have discovered three vulnerabilities in managed uninterruptible power supplies Services that allow remote control and manipulation of the device, such as turning off certain ports or using it to carry out attacks on other systems.

Vulnerabilities they are codenamed TLStorm and affect APC Smart-UPS (SCL, SMX, SRT series) and SmartConnect (SMT, SMTL, SCL, and SMX series).

Uninterruptible Power Supply (UPS) devices provide emergency backup power for mission-critical assets and can be found in data centers, industrial facilities, hospitals, and more.

APC is a subsidiary of Schneider Electric and is one of the leading providers of UPS devices with more than 20 million devices sold worldwide. If exploited, these vulnerabilities, dubbed TLStorm, allow full remote takeover of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks. According to Armis data, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities. This blog post provides a high-level overview of this research and its implications.

In the blog post it is mentioned that two of the vulnerabilities are caused by bugs in the implementation of the TLS protocol on devices managed through a centralized Schneider Electric cloud service.

The SmartConnect series devices automatically connect to a cloud service centralized when starting or losing the connection and an unauthenticated attacker can exploit vulnerabilities and gain control total on the device by sending specially designed packages to UPS.

  • CVE-2022-22805: Buffer overflow in packet reassembly code exploited when processing incoming connections. The issue is caused by buffering data during the processing of fragmented TLS records. Exploitation of the vulnerability is facilitated by incorrect error handling when using the Mocana nanoSSL library: after returning an error, the connection was not closed.
  • CVE-2022-22806: Authentication bypass when establishing a TLS session caused by a state error during connection negotiation. Caching an uninitialized null TLS key and ignoring the error code returned by the Mocana nanoSSL library when a packet with an empty key was received made it possible to simulate being a Schneider Electric server without going through the verification and key exchange stage .

The third vulnerability (CVE-2022-0715) is associated with an incorrect implementation of firmware verification downloaded for the update and allows an attacker to install the modified firmware without verifying the digital signature (it turned out that the digital signature is not verified for the firmware at all, but only symmetric encryption with a key predefined in the firmware is used).

Combined with the CVE-2022-22805 vulnerability, an attacker could replace the firmware remotely by posing as a Schneider Electric cloud service or by initiating an update from a local network.

Abusing flaws in firmware update mechanisms is becoming standard practice for APTs, as recently detailed in the analysis of Cyclops Blink malware, and missigning embedded device firmware is a recurring flaw in several systems. integrated. A previous vulnerability discovered by Armis in Swisslog PTS systems ( PwnedPiper , CVE-2021-37160) was the result of a similar type of flaw.

Having gained access to the UPS, an attacker can plant a backdoor or malicious code on the device, as well as perform sabotage and turn off the power of important consumers, for example, turning off the power of video surveillance systems in banks or life support.

Schneider Electric has prepared patches to solve problems and is also preparing a firmware update. To reduce the risk of compromise, it is also recommended to change the default password (“apc”) on devices with a NMC (Network Management Card) and install a digitally signed SSL certificate, as well as restrict access to UPS in the firewall only to addresses in the Schneider Electric cloud.

Finally If you are interested in knowing more about it, you can check the details in the following link


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.