Menu
Critical flaws in APC uninterruptible power supplies poses risks to mission-critical devices

Critical flaws in APC uninterruptible power supplies poses risks to mission-critical devices

Attackers can exploit cloud-connected APC Smart-UPS units to take control of the devices they protect.

Credit: Dreamstime

Security researchers have found several vulnerabilities affecting many models of APC Smart-UPS uninterruptible power supplies that could be exploited to take over the devices. UPS devices are used across many industries to keep mission-critical devices running in case of power loss.

"Two of these are remote code execution (RCE) vulnerabilities in the code handling the cloud connection, making these vulnerabilities exploitable over the Internet," researchers from security firm Armis, who found the flaws, said in a report. The company has dubbed the vulnerabilities TLStorm because they're located in the TLS implementation used in cloud-connected Smart-UPS devices.

APC, a division of Schneider Electric, is one of the market leaders for UPS devices. Its Smart-UPS line of products was launched in 1990 and the company estimates over 20 million units sold to date. 

Some of the newer models feature a technology called SmartConnect that makes them network enabled and allows users to monitor their status through cloud-based web portal and to issue firmware updates.

Three APC vulnerabilities exploitable without user interaction

"Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost," the Armis researchers said. "Attackers can trigger the vulnerabilities via unauthenticated network packets without any user interaction."

One of the flaws, tracked as CVE-2022-22805, is a buffer overflow memory corruption in the TLS packet reassembly, while another, CVE-2022-22806, is an authentication bypass due to a confusion in the TLS handshake that can allow attackers to perform rogue firmware upgrades over the network. Both flaws are rated 9.0 (critical) on the CVSS severity scale.

A third vulnerability, CVE-2022-0715, is described as a design flaw that stems from the lack of cryptographic signature verification for deployed firmware. This enables attackers to deploy maliciously modified firmware through the TLS vulnerabilities, but also through other firmware update paths such as LAN or an USB thumb drive.

"This modified firmware could allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network to launch additional attacks," the Armis researchers said.

Remediation for the APC UPS vulnerabilities

Schneider Electric has released firmware updates for some of the impacted models that partially address one or more of the vulnerabilities. Firmware Version UPS 04.6 (SMT series) and Version UPS 04.3 (SMC series) include a fix for CVE-2022-22805 and CVE-2022-22806 and a partial remediation for CVE-2022-0715, for the Smart-UPS and SmartConnect UPS SMT and SMC series.

However, more product lines are affected. These include the Smart-UPS SCL, SMX and SRT Series and the SmartConnect SMTL, SCL and SMX Series. 

For these models, the company is working on firmware patches, but in the meantime it advises customers to either disable the SmartConnect feature from the device's front panel if applicable or disconnect any network cable connected to the affected UPS. Schneider also has a recommended cyber security best practices document.

There is no evidence that these vulnerabilities have been exploited in the wild so far and UPS devices have not historically been a target for cyber attacks. However, as more traditional devices receive network and cloud connectivity for remote management purposes, they can become a security risk for the networks they're in because they essentially become computers on the network. 

The risks are further increased depending on the functions they serve. The primary goal of uninterruptible power supplies is to keep other critical devices and processes running and the impact of unplanned shutdown of those devices and processes could be very serious to asset owners.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags apccyber securitySchneider Electric

Events

ARN Innovation Awards 2022

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

EDGE 2022

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.

Show Comments