The ‘TLStorm’ vulnerabilities, found in APC Smart-UPS products, could allow attackers to cause both cyber and physical damage by taking down critical infrastructure.
Three critical security vulnerabilities in widely used smart uninterruptible power supply (UPS) devices could allow for remote takeover, meaning that malicious actors could cause business disruptions, data loss and even physical harm to critical infrastructure, researchers have found.
Researchers at Armis Research Labs discovered the flaws, which they’ve dubbed TLStorm, in APC Smart-UPS devices, which number about 20 million in deployment worldwide. APC is a subsidiary of Schneider Electric, one of the leading vendors of UPS devices. UPS devices provide emergency backup power for mission-critical assets that require high availability.
The risk for widespread disruption and damage in both the cyber and physical worlds is high if the vulnerabilities are exploited, researchers said in a report published online on Tuesday — and could have an impact on a global scale.
By exploiting TLStorm, attackers could remotely take over the devices and use them to breach a company’s internal network and steal data. Moreover, by cutting power for mission-critical appliances or services, attackers also could cause physical injury or disrupt business services, researchers said.
“The latest APC Smart-UPS models are controlled through a cloud connection, and a bad actor who successfully exploits TLStorm vulnerabilities could remotely take over devices from the internet without any user interaction or the user ever knowing about it,” researchers warned in the report.
Moreover, an attacker can exploit the flaws to gain code execution on a device, which in turn could be used to alter the operation of the UPS to physically damage the device itself or other assets connected to it, researchers said.
Schneider Electric worked in collaboration with Armis to develop patches for the vulnerabilities, which were distributed to customers and are available on the Schneider Electric website. As far as researchers know, there is no indication that the vulnerabilities have been exploited thus far, they said.
The TLStorm Vulnerabilities
Two of the vulnerabilities involve improper error handling of Transport Layer Security–the “TLS” of TLStorm — in the TLS connection between the UPS and the Schneider Electric cloud. TLS is a widely adopted security protocol designed to facilitate privacy and data security for internet communications.
Devices that support the SmartConnect feature automatically establish this TLS connection upon startup or whenever cloud connections are temporarily lost, researchers explained.
The first, tracked as CVE-2022-22805, is a TLS buffer overflow/memory-corruption bug in packet reassembly that can lead to remote code execution (RCE). Meanwhile, CVE-2022-22806, a TLS authentication bypass, is a state confusion in the TLS handshake leads to authentication bypass and also RCE, researchers said. Both bugs received a rating of 9.0 on the CVSS bug-severity scale.
These vulnerabilities can be triggered via unauthenticated network packets without any user interaction, a scenario that’s known as a zero-click attack, researchers said.
“APC uses Mocana nanoSSL as the library responsible for TLS communications,” they wrote in the report. “The library manual clearly states that library users should close the connection when there is a TLS error. In the APC usage of this library, however, some errors are ignored, leaving the connection open but in a state that the library was not designed to handle.”
The third flaw, tracked as CVE-2022-0715 and with a CVSS rating of 8.9, is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secure manner.
“The APC Smart-UPS firmware is encrypted with a symmetrical encryption, but is not cryptographically signed,” according to the report. “That nuance allowed our researchers to fabricate malicious firmware that Smart-UPS devices accepted as official, valid firmware.”
In a similar way, an attacker also could craft malicious firmware and install it using various paths, including the internet, LAN or a USB thumb drive, researchers explained.
Global Ramifications
Given the war in Ukraine and the current geopolitical environment, the FBI and U.S. Department of Homeland Security have urged critical infrastructure operators to report anything unusual and patch all affected devices in their environments as soon as possible.
Indeed, there is precedence for attackers targeting UPS devices, among others, to take down critical infrastructure. Notably, hackers attacked the Ukrainian power grid in 2015, leading to a widespread power outage.
Indeed, there are current fears that Russia could target power grids and other critical infrastructure in countries supporting Ukraine, such as the United States, as fighting continues following Russia’s invasion of the Ukraine late last month.
The discovery of TLStorm vulnerabilities also underscores the volatility of devices within enterprise networks that are responsible for power reliability and other critical infrastructure, researchers noted. They stressed the need for organizations with APC Smart UPS devices deployed to act immediately to protect them against security threats.
Patches & Workarounds
In addition to applying patches, there are other mitigations for TLStorm, researchers said. In devices in which customers are using the network management card (NMC), they can change the default NMC password (“apc”) and install a publicly-signed SSL certificate. This will prevent an attacker from intercepting the new password, they said.
Network administrators also can deploy access control lists (ACLs) in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications, researchers added.
