Skip to main content

TLStorm Remote Code Execution Vulnerability in APC UPS Systems

Critical remote code execution vulnerabilities have been disclosed in APC Uninterruptable Power Supply devices. These vulnerabilities could lead to complete compromise of an affected system.

Threat ID:
CC-4050
Threat Severity:
Medium
Threat Vector:
Vulnerability
Published:
10 March 2022 12:24 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Critical remote code execution vulnerabilities have been disclosed in APC Uninterruptable Power Supply devices. These vulnerabilities could lead to complete compromise of an affected system.

Threat details

Introduction

Schneider Electric has released a security notification about three critical vulnerabilities, referred to as TLStorm, in APC Smart-UPS uninterruptible power supply devices. Uninterruptible power supply (UPS) devices provide emergency power backup solutions for mission critical assets and are used in a variety of sectors including healthcare.

A remote attacker could exploit one or more of these vulnerabilities to gain unauthorised access and control of a device, giving the attacker the ability to conduct an extreme cyber-physical attack. An attack of this nature could result in physical damage to the UPS device and cause critical systems to fail.

Vulnerability details

Security researchers at Armis discovered three vulnerabilities in APC Smart-UPS. CVE-2022-22805 and CVE-2022-22806 are critical remote code execution (RCE) vulnerabilities in TLS implementation of cloud-connected Smart-UPS devices. These vulnerabilities can be exploited by a ZeroClick attack via sending unauthenticated network packets without the need for user interaction. The third vulnerability, CVE-2022-0715, has a high severity rating and relates to Smart-UPS firmware updates not being cryptographically signed in a secure way. Malicious firmware could be crafted and installed through the Internet, LAN, or USB drive, which could then give an attacker persistence on the UPS device.

The following descriptions of the vulnerabilities are provided by Armis:

  • CVE-2022-22805, CVSS v3.1 Base Score 9.0: TLS buffer overflow: A memory corruption bug in packet reassembly (RCE)
  • CVE-2022-22806, CVSS v3.1 Base Score 9.0: TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade
  • CVE-2022-0715, CVSS v3.1 Base Score 8.9 (connected devices), 6.9 (non-connected devices): Unsigned firmware upgrade that can be updated over the network (RCE)

Threat updates

Date Update
4 Apr 2022 Mitigating Attacks Against Uninterruptable Power Supply Devices

CISA and the US Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices, often through unchanged default usernames and passwords. Organisations can mitigate attacks against UPS devices by immediately removing management interfaces from the internet.

For more information, please review CISA and DOE’s guidance on mitigating attacks against UPS devices for additional mitigations and information.

Remediation advice

Affected organisations are encouraged to review Schneider Electric’s Security Notification and apply the remediation and mitigations immediately. 

The firmware updates provide a fix for CVE-2022-22805 and CVE-2022-22806 for the SmartConnect UPS SMT and SMC series. The updates only provide partial remediation for CVE-2022-0715 in Smart-UPS SMT and SMC series. The remediation plan for Smart-UPS SCL, SMX, and SRT Series and SmartConnect SMTL, SCL, and SMX Series was unavailable at the time of publication. Schneider Electric will update their Security Notification when the remediation is available. Until then, they provide the following mitigations:

  • If applicable, from the front panel disable the SmartConnect feature
  • Alternately, customers may choose to disconnect any network cable connected to the UPS
  • Follow the General Security Recommendations provided in the Security Notification

Schneider Electric has provided the following additional recommendations to protect against exploitation of these vulnerabilities:

  • Locate systems and remotely accessible devices behind firewalls
  • Install physical controls to prevent unauthorised access
  • Where possible, prevent mission-critical systems and devices from being access from outside networks
  • Schneider customers should apply the General Security Recommendations provided in the Security Notification

NOTE: Schneider advise customers to use appropriate patching methodologies and backups when applying patches. Customers are also advised to evaluate the impact of the patches in a Test and Development environment or on an offline infrastructure. Contact Schneider Electric’s Customer Care Center if assistance is needed for applying or removing a patch.

CVE Vulnerabilities

Status Published

CVE-2022-0715

A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS when a key is leaked and used to upload malicious firmware. Affected Product: APC Smart-UPS Family: SMT Series (SMT Series ID=18: UPS 09.8 and prior / SMT Series ID=1040: UPS 01.2 and prior / SMT Series ID=1031: UPS 03.1 and prior), SMC Series (SMC Series ID=1005: UPS 14.1 and prior / SMC Series ID=1007: UPS 11.0 and prior / SMC Series ID=1041: UPS 01.1 and prior), SCL Series (SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior), SMX Series (SMX Series ID=20: UPS 10.2 and prior / SMX Series ID=23: UPS 07.0 and prior), SRT Series (SRT Series ID=1010/1019/1025: UPS 08.3 and prior / SRT Series ID=1024: UPS 01.0 and prior / SRT Series ID=1020: UPS 10.4 and prior / SRT Series ID=1021: UPS 12.2 and prior / SRT Series ID=1001/1013: UPS 05.1 and prior / SRT Series ID=1002/1014: UPSa05.2 and prior), APC SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)
Status Published

CVE-2022-22805

A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled. Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)
Status Published

CVE-2022-22806

A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent. Affected Product: SmartConnect Family: SMT Series (SMT Series ID=1015: UPS 04.5 and prior), SMC Series (SMC Series ID=1018: UPS 04.2 and prior), SMTL Series (SMTL Series ID=1026: UPS 02.9 and prior), SCL Series (SCL Series ID=1029: UPS 02.5 and prior / SCL Series ID=1030: UPS 02.5 and prior / SCL Series ID=1036: UPS 02.5 and prior / SCL Series ID=1037: UPS 03.1 and prior), SMX Series (SMX Series ID=1031: UPS 03.1 and prior)

Last edited: 4 April 2022 2:50 pm