Armis has announced the release of three critical vulnerabilities in APC Smart-UPS devices that could allow attackers to take control remotely. In the event of exploitation of the vulnerabilities, known as TLStorm, attackers can disconnect, disrupt, and destroy APC Smart-UPS devices and the devices connected to them.
Uninterruptible Power Units (UPS) provide emergency backup for a variety of devices in data centers, industrial facilities, hospitals and more. APC is a subsidiary of Schneider Electric and is one of the world’s leading suppliers of UPS devices, with sales of more than 20 million devices worldwide.
Barak Haddad, head of research at Armis: “Until recently, infrastructures such as UPS devices were not considered a security risk. However, it turned out that they did not implement adequate security mechanisms for remotely managed devices, which means attackers can use UPS devices as an attack surface. “Security experts will have a network image of all the assets in the organization, along with the ability to monitor their behavior to detect attempts to exploit vulnerabilities like TLStorm.”
Identifying and preventing security risks
Armis investigates and analyzes a variety of common devices to help security managers protect their organizations from threats. For this study, Armis researched APC Smart-UPS devices – APC’s latest UPS devices that use a cloud connection for remote management. Researchers at Armis have found that an attacker who exploited TLStorm vulnerabilities could remotely control devices over the Internet without having to interact with a user.
The vulnerabilities revealed include two critical vulnerabilities in the implementation of TLS made in cloud-connected smart-UPS devices, and a third weakness that stems from a design problem and is that the firmware upgrades of most Smart-UPS devices do not undergo cryptographic authentication properly.
In the two weaknesses in the TLS connection between the UPS devices and the Schneider Electric cloud. The vulnerable devices are the UPS components that support the SmartConnect application. These components automatically create a TLS connection at startup or when the connection to the cloud is lost. Attackers can exploit the vulnerabilities over the Internet without any need for authentication or user interaction.
The third weakness is a product design glitch in which firmware updates on said devices are not cryptographically signed in a secure manner. As a result, an attacker could create malicious firmware and install it in a number of ways, including over the Internet, LAN, or on-key disk (USB). Malicious firmware can allow attackers long-term access to UPSs and use this accessibility to carry out further attacks on the network.
Utilizing vulnerabilities in firmware update mechanisms has become a common practice of advanced persistent threat (APT), as written at length in an analysis of the Cyclops Blink malware. The lack of firmware signing is a recurring glitch in a variety of systems. For example, a vulnerability that Armis previously detected in Swisslog PTS PwnedPiper systems, CVE-2021-37160 was due to a similar type of malfunction.
Yevgeny Dibrov, CEO and co-founder, Armis: “TLStorm vulnerabilities occur in physical security systems that bridge our digital and physical worlds, giving cyber attacks the opportunity to achieve real-world results.
‘Armis’ platform addresses this hyper-connected reality, where a single device or identity at risk can open a door to cyber-attacks, and the security of each asset becomes significant to protect the business’s business and brand reputation. “Our ongoing research secures organizations by delivering 100% visibility of all their assets: IT, cloud, IoT, OT, IoMT, G5, and end assets.”
Schneider Electric has worked collaboratively with Armis on the subject and created updates to address any weaknesses discovered. To the best of the knowledge of both companies, there is no indication that TLStorm vulnerabilities have been exploited. Organizations using APC Smart-UPS devices are advised to update the devices immediately.
More information can be found in the Schneider Electric guide here.