Critical Vulnerabilities In APC Smart-UPS Devices Let Attackers Remotely Manipulate The Power

The cybersecurity firm, Armis has recently discovered that Schneider Electric’s subsidiary, APC Smart-UPS devices, are vulnerable to attacks, as, in PC Smart-UPS devices, three critical vulnerabilities were detected.

An APC Smart-UPS device is a type of backup battery that provides power back up to IT assets within a network. However, the three severe vulnerabilities that were discovered could allow an attacker to execute extreme attacks targeting both physical devices and IT assets remotely by taking over Smart-UPS devices.

The vulnerabilities were dubbed TLStorm, and by exploiting the detected critical flaws, an attacker can perform:-

• Remote code execution.
• Replace firmware.
• Potentially burn the entire unit.

Vulnerabilities that were uncovered by the recent APC security re-assessment are widespread and used in a variety of areas such as:- 

• Government
• Healthcare
• Industrial
• IT
• Retail
• OT/ICS environments
• Residences
• Server rooms
• Energy suppliers

Vulnerabilities

Three critical vulnerabilities were detected, and here below, we have mentioned them all:-

• CVE ID: CVE-2022-22806
• Summary: TLS authentication bypass
• Description: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.
• Severity: Critical

• CVE ID: CVE-2022-22805
• Summary: TLS buffer overflow
• Description: A memory corruption bug in packet reassembly (RCE).
• Severity: Critical

• CVE ID: CVE-2022-0715
• Summary: RCE
• Description: Unsigned firmware upgrade that can be updated over the network (RCE).
• Severity: Critical

Affected Products

Below we have mentioned all the products that are affected:-

• Smart-UPS SMT and SMC Series
• SmartConnect SMT and SMC Series
• Smart-UPS SCL, SMX, and SRT Series
• SmartConnect SMTL, SCL, and SMX Series

Risk Aspect

Armis has claimed that these critical vulnerabilities were detected in the SmartConnect and Smart-UPS family of products which of APC would leave the devices exposed to several attacks.

The CVE-2022-22805 and CVE-2022-22806 were found in the implementation of the TLS; it’s a protocol that creates a link between Smart-UPS devices and SmartConnect, a cloud management feature of Schneider Electric.

The CVE-2022-0715 is the third one that is related to the firmware of almost all APC Smart-UPS devices, an unsigned firmware upgrade that can be updated over the network.

Security Recommendations

The cybersecurity analysts at Armis security firm has recommended a few security mitigations:-

• From the Schneider Electric website, immediately install all the available patches.
• Locate and isolate all the remote devices, control, and safety system networks that are behind firewalls.
• Never connect any programming software to an unknown network.
• Do not allow mobile devices that have connected to any other network.
• Make sure that all the control system devices and systems are not accessible from the Internet.
• Make sure to deploy access control lists (ACLs) in which the UPS devices are only allowed to communicate.
• Always use VPNs whenever remote access is required.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.