Three high-impact security vulnerabilities have been discovered in APC Smart-UPS systems, which might be exploited as a physical weapon by remote attackers to gain unauthorized access and control. The three vulnerabilities are being tracked as CVE-2022-22805- TLS buffer overflow, CVE-2022-22806- TLS authentication bypass and CVE-2022-0715- unsigned firmware upgrade that can be updated over the network.
The vulnerabilities, collectively known as TLStorm, enable for complete remote control of Smart-UPS equipment and the execution of serious cyber-physical attacks.
In mission-critical locations such as medical institutions, server rooms, and industrial systems, uninterruptible power supply (UPS) units act as emergency backup power suppliers. So far, nearly 20 million infected devices have been found in the healthcare, retail, industrial, and government sectors.
TLStorm is a zero-click attack that consists of three critical faults that can be triggered by unverified network packets without requiring any user activity. Two of the problems involve a flawed TLS handshake between the UPS and the APC cloud.
If any of the vulnerabilities are successfully exploited, they could lead to remote code execution (RCE) attacks on vulnerable devices, which could then be used to tamper with the UPS”s operations and physically destroy the unit or other assets linked to it.
How it works
Researchers reported that they were able to bypass the software protection by exploiting the RCE vulnerability and allowing the current spike periods to run indefinitely until the DC link capacitor reached 150 degrees Celsius (300 degrees Fahrenheit), causing the capacitor to burst and render the UPS unusable in a cloud of electrolyte gas, causing collateral damage to the device.
The Vulnerability in the firmware upgrade system may be used to install a malicious update on UPS devices, allowing attackers to establish persistence for long periods of time and utilize the compromised host as a gateway for other attacks.
Fixes for these vulnerabilities were released by Schneider Electric on 8th March 2022 as part of their patch Tuesday updates.
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.