Researchers Discover Vulnerabilities in APC Smart-UPS Devices


A trio of recently disclosed security vulnerabilities pose serious threats to power backup devices, including possible physical damage.

Researchers at IoT security firm Armis have discovered and reported three CVE-listed security flaws, called TLStorm, that involve remote code execution in uninterruptible power supply (UPS) enclosures manufactured by APC.

The bugs are listed as CVE-2022-22806, CVE-2022-22805, and CVE-2022-0715 and address firmware update, authentication bypass, and buffer overflow security flaws. The most serious of faults could allow remote control of the device and potentially alter hardware settings to create a physical fire hazard.

While UPS devices would not typically be exposed to the open Internet, APC’s Smart-UPS devices are particularly vulnerable because they have a web-based administration portal. Because of this, Armis researchers say the bugs are indeed remotely exploitable and can be used for attacks by remote attackers.

The most serious of the flaws is CVE-2022-0715, a flaw that allows a remote attacker to push firmware updates without permission. If the attacker were able to overwrite the firmware of an inverter, he could modify critical hardware settings to cause the device to overheat. “Illustrating the cyber-physical effect of the TLStorm attack, Armis researchers were able to damage a Smart-UPS on the network without user interaction,” said the TLStorm Report noted

Perhaps even more worrisome is the attacker’s ability to use the compromised UPS as a starting point to gain additional network access. As UPS boxes are managed through a web interface, the attacker could manipulate the UPS to then contact other systems on the network.

Barak Hadad, head of research at Armis, told SearchSecurity that the risk will depend on how each company has configured their network and where the UPS is located.

“Since UPSs are typically responsible for powering critical devices, shutting down the UPS also shuts down the device connected to it and can have serious consequences,” Hadad explained. “In addition to this, the inverter is often connected to the same internal network as the devices that depend on it and an attacker can use it to move laterally within the internal network using the inverter as a gateway.”

Vulnerabilities CVE-2022-22806 and CVE-2022-22805, meanwhile, address authentication bypass and buffer overflow vulnerabilities, respectively. In either case, a specially crafted TLS packet could allow the attacker to obtain remote code execution on the UPS.

Armis researchers note that the flaws illustrate how UPS enclosures, which are not usually considered a security risk or an update priority, can become attack vectors, thanks to the introduction of security features. remote management.

The team even referenced Hollywood in their report.

“The fact that inverters regulate high-voltage power, combined with their internet connectivity, makes them a high-value cyber-physical target. In the TV series Mr. Robot, bad actors cause an explosion using an APC UPS,” the report said. . “However, this is no longer a fictional attack. By exploiting these vulnerabilities in the lab, Armis researchers were able to remotely ignite a Smart-UPS device and literally cause it to go up in smoke.”

Armis said it disclosed the TLStorm vulnerabilities to parent company APC Schneider Electric on October 31, 2021 and worked with the company to create patches for Smart-UPS devices, which are now available. Schneider Electric has published a security consulting Tuesday detailing affected products and security updates.

Armis recommended that administrators connect with Schneider Electric to ensure their UPS systems are updated with the latest firmware. In addition to patching TLStorm flaws, Armis also urged users to change default passwords for network management cars in Smart-UPS devices and double-check their network access policies to ward off potential attackers. .


About Author

Comments are closed.