Many models of Internet-connected uninterruptible power supply (UPS) units manufactured by Schneider Electric contain a set of three vulnerabilities that can enable a remote attacker to install a malicious firmware update, run remote code, completely take control of a target device, and use the device as a jumping off point for further attacks on the network.
The flaws (CVE-2022-22805, CVE-2022-22806, CVE-2022-0715) have been collectively named TLStorm and affect APC SmartConnect and Smart-UPS devices, which are used to supply constant power to many types of network devices, including servers, storage devices, industrial, and medical devices. One of the features of the affected UPS devices is a cloud-management system called SmartConnect, and two of the vulnerabilities that researchers with Armis, a specialized ICS and IoT security firm, discovered lie in the TLS implementation in the system. One of the bugs allows an attacker to bypass authentication, while the other is a buffer overflow that can lead to remote code execution. By exploiting those two vulnerabilities, an attacker can then take advantage of the third bug, which is a lack of a cryptographic signing mechanism for firmware upgrades. The attacker then has the ability to install a malicious firmware image remotely.
Several models of APC UPS devices are affected, and Schneider Electric, the parent company of APC, has issued fixes for the affected software versions.
“An attacker just needs to intercept the TLS connection from the UPS to the APC cloud. On the same network it can be done using arp poisoning, DNS poisoning or any other MITM (Man in the middle) technique. On the internet, DNS cache poisoning is the most common way of initiating these types of attacks. Once the attacker intercepts the connection, executing code over the UPS is trivial using a malicious firmware upgrade,” Barak Hada, head of research at Armis, said.
As part of their testing in a lab environment, the Armis researchers used the two TLS implementation flaws in order to gain access to a vulnerable UPS and then upload a malicious firmware image to the device. They were able to temper with the settings on the device and take whatever actions they chose, including forcing the device to overheat and eventually brick. The TLS bugs Armis discovered lie in the way that the devices handle errors in the TLS connection.
"Once the attacker intercepts the connection, executing code over the UPS is trivial using a malicious firmware upgrade."
“The root cause for both of the TLS vulnerabilities is improper error handling of TLS errors in the TLS connection from the Smart-UPS and the Schneider Electric cloud. APC uses the Mocana nanoSSL as the library responsible for TLS communications. The library manual clearly states that library users should close the connection when there is a TLS error. In the APC usage of this library, however, some errors are ignored, leaving the connection open but in a state that the library was not designed to handle,” the researchers said.
“Ignoring the nanoSSL library errors causes the UPS to cache the TLS key in its uninitialized state. When an attacker uses the TLS resumption functionality, the uninitialized key (all zero) is fetched from the cache and the attacker can communicate with the device as if it was a genuine Schneider Electric server. As a seemingly verified server, the attacker can issue a firmware upgrade command and remotely execute code over the UPS device.”
The ability to install a new firmware image is due to the lack of a cryptographic signing mechanism for the firmware.
“This means an attacker could craft malicious firmware and install it using various paths, including the Internet, LAN, or a USB thumb drive. This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried,” the researchers said.
All three of the vulnerabilities affect SMT, SCL, SMC, SMTL, and SMX series SmartConnect UPS devices, while only the firmware upgrade flaw affects Smart-UPS SMT, SMC, SCL, SMX, and SRT series devices.
"We recommend that customers immediately install available firmware updates...which include remediations to reduce the risk of successful exploitation of these vulnerabilities. In addition, customers should also immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from exploitation of these vulnerabilities," Schneider Electric said in its advisory on the flaws.