Critical flaws in APC uninterruptible power supplies poses risks to mission-critical devices

Security researchers have found several vulnerabilities affecting many models of APC Smart-UPS uninterruptible power supplies that could be exploited to take over the devices. UPS devices are used across many industries to keep mission-critical devices running in case of power loss.

“Two of these are remote code execution (RCE) vulnerabilities in the code handling the cloud connection, making these vulnerabilities exploitable over the Internet,” researchers from security firm Armis, who found the flaws, said in a report. The company has dubbed the vulnerabilities TLStorm because they’re located in the TLS implementation used in cloud-connected Smart-UPS devices.

APC, a division of Schneider Electric, is one of the market leaders for UPS devices. Its Smart-UPS line of products was launched in 1990 and the company estimates over 20 million units sold to date. Some of the newer models feature a technology called SmartConnect that makes them network enabled and allows users to monitor their status through cloud-based web portal and to issue firmware updates.

Three APC vulnerabilities exploitable without user interaction

“Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost,” the Armis researchers said. “Attackers can trigger the vulnerabilities via unauthenticated network packets without any user interaction.”

One of the flaws, tracked as CVE-2022-22805, is a buffer overflow memory corruption in the TLS packet reassembly, while another, CVE-2022-22806, is an authentication bypass due to a confusion in the TLS handshake that can allow attackers to perform rogue firmware upgrades over the network. Both flaws are rated 9.0 (critical) on the CVSS severity scale.

A third vulnerability, CVE-2022-0715, is described as a design flaw that stems from the lack of cryptographic signature verification for deployed firmware. This enables attackers to deploy maliciously modified firmware through the TLS vulnerabilities, but also through other firmware update paths such as LAN or an USB thumb drive.

“This modified firmware could allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network to launch additional attacks,” the Armis researchers said.

Remediation for the APC UPS vulnerabilities

Schneider Electric has released firmware updates for some of the impacted models that partially address one or more of the vulnerabilities. Firmware Version UPS 04.6 (SMT series) and Version UPS 04.3 (SMC series) include a fix for CVE-2022-22805 and CVE-2022-22806 and a partial remediation for CVE-2022-0715, for the Smart-UPS and SmartConnect UPS SMT and SMC series.

However, more product lines are affected. These include the Smart-UPS SCL, SMX and SRT Series and the SmartConnect SMTL, SCL and SMX Series. For these models, the company is working on firmware patches, but in the meantime it advises customers to either disable the SmartConnect feature from the device’s front panel if applicable or disconnect any network cable connected to the affected UPS. Schneider also has a recommended cybersecurity best practices document.

There is no evidence that these vulnerabilities have been exploited in the wild so far and UPS devices have not historically been a target for cyberattacks. However, as more traditional devices receive network and cloud connectivity for remote management purposes, they can become a security risk for the networks they’re in because they essentially become computers on the network. The risks are further increased depending on the functions they serve. The primary goal of uninterruptible power supplies is to keep other critical devices and processes running and the impact of unplanned shutdown of those devices and processes could be very serious to asset owners.