Security researchers have found that uninterruptible power supplies from Schneider Electric subsidiary APC are subject to a number of serious security vulnerabilities, and remote attacks can set fire to them.
Security company Armis claims the set of three vulnerabilities it dubbed TLStorm puts millions of devices at risk worldwide, affecting eight out of ten enterprises.
Armis details the vulnerabilities here.
The researchers warn that devices can be taken over “without any user interaction or signs of attack”, and that a successful exploit “could be used to alter the operations of the UPS to physically damage the device itself or other assets connected to it”.
“By exploiting these vulnerabilities in the lab, Armis researchers were able to remotely ignite a Smart-UPS device and make it literally go up in smoke,” the company claimed.
The bugs were disclosed to Schneider Electric in October 2021, and patches are now available.
There is a vulnerability in the UPS’s firmware upgrade process (CVE-2022-0715) and two vulnerabilities in their transport layer security (TLS) implementation (CVE-2022-22805 and CVE-2022-22806).
The firmware bug describes serious shortcomings in APC’s firmware update process: all devices in the Smart-UPS range use the same symmetrical firmware encryption key, and that key can be extracted by an attacker with access to a device.
There is also no firmware signing mechanism.
According to Armis, that provides a vector for an attacker to plant malicious firmware on a target device. On older units, they would need access to the LAN the UPS is connected to, but newer devices using the company’s SmartConnect feature can be upgraded by an attacker connected over the Internet to the device’s management console.
The TLS bugs were introduced in APC’s implementation of the Mocana nanoSSL library, in which APC’s software ignores some TLS errors rather than closing the connection.
In CVE-2022-22806, this leads to the uninitialised TLS key being cached.
This allows an attacker to communicate with the UPS “as if it were a genuine Schneider Electric server”, issue firmware upgrade instructions, and execute remote code.
In CVE-2022-22805, the researchers document a memory vulnerability in the reassembly of TLS packets. This lets an attacker “trigger a pre-authentication heap overflow condition that can lead to remote code execution”.ADVERTISINGGot a news tip for our journalists? Share it with us anonymously here.