Security researchers from Armis have disclosed a set of three critical vulnerabilities in APC Smart-UPS devices, cumulatively called TLStorm vulnerabilities. A remote attacker can string these vulnerabilities together to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. The report published says that nearly 80% of the devices deployed in Governmental, Healthcare, Industrial, IT, Retail, and other sectors are vulnerable to TLStorm vulnerabilities. So, it is important to know more about the flaws before being hit by the worst. We have created this post to let all the people know How to Secure Your APC Smart-UPS Devices from TLStorm Vulnerabilities.
To understand the significance of TLStorm vulnerabilities, you should know how big the APC network is. APC is a leading UPS manufacturer with over 20 million devices sold globally. Armis’s report says that 8 out of 10 devices are vulnerable, which pushes around 16 million devices into the risk of TLStorm.
UPS stands for Uninterruptible power supply. As its name says, it is a device that is designed to provide a consistent power supply to the critical servers and other assets in case of power cuts or disruptions. The primary reason to deploy these devices is to ensure devices are in function even in case of power issues.
TLStorm is a set of three critical vulnerabilities that allow attackers to remotely take over devices covertly over the Internet without any user interaction or signs of attack.
CVE-2022-22806: TLS authentication bypass
CVE-2022-22805: TLS buffer overflow
CVE-2022-0715: Unsigned firmware upgrade
Attackers can chain these vulnerabilities to perform a remote code execution (RCE) attack on a vulnerable APC UPS device and can physically damage the device (other devices connected to it) by altering its operations.
As you already know, TLStorm vulnerabilities are made up of three vulnerabilities, of which two are due to improper implementation of TLS connection between the device and the Schneider Electric cloud, and the remaining one is due to improper validation of signature in the firmware software. These vulnerabilities are known as ZeroClick attacks, as they can be triggered without any user interaction.
The CVE-2022-22806 vulnerability Is a TLS authentication bypass vulnerability due to an improper TLS handshake. This vulnerability allows attackers to carry out remote code execution (RCE) through the firmware upgrade process.
Associated CVE ID | CVE-2022-22806 |
Description | Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent. |
Associated ZDI ID | – |
CVSS Score | 9.0 Critical |
Vector | CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | High |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Changed |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
The 2nd CVE-2022-22805 vulnerability is a TLS buffer overflow vulnerability due to a memory corruption bug in packet reassembly.
Associated CVE ID | CVE-2022-22805 |
Description | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled. |
Associated ZDI ID | – |
CVSS Score | 9.0 Critical |
Vector | CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | High |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Changed |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
The 3rd CVE-2022-0715: vulnerability is a design flaw that failed to validate whether the firmware is cryptographically signed. This failure will leave a gap for attackers to perform supply chain attacks by creating infected firmware and installing it using various paths, including the Internet, LAN, or a USB thumb drive. This would allow attackers to take control of the device and operate as they need.
Associated CVE ID | CVE-2022-0715 |
Description | Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS if a key is leaked and used to upload malicious firmware. |
Associated ZDI ID | – |
CVSS Score | 8.9 High |
Vector | CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | High |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Changed |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
These vulnerabilities affect around 80% of the APC Smart-UPS devices around the world. The below table is going to be important information for those who have been using the APC Smart-UPS in their home, office, industries, hospitals, and anywhere.
SmartConnect Family:
Product | Affected Versions | CVEs |
---|---|---|
SMT Series | SMT Series ID=1015: UPS 04.5 and prior | CVE-2022-22805 CVE-2022-22806 CVE-2022-0715 |
SMC Series | SMC Series ID=1018: UPS 04.2 and prior | CVE-2022-22805 CVE-2022-22806 CVE-2022-0715 |
SMTL Series | SMTL Series ID=1026: UPS 02.9 and prior | CVE-2022-22805 CVE-2022-22806 CVE-2022-0715 |
SCL Series | SCL Series ID=1029: UPS 02.5 and prior SCL Series ID=1030: UPS 02.5 and prior SCL Series ID=1036: UPS 02.5 and prior SCL Series ID=1037: UPS 03.1 and prior | CVE-2022-22805 CVE-2022-22806 CVE-2022-0715 |
SMX Series | SMX Series ID=1031: UPS 03.1 and prior | CVE-2022-22805 CVE-2022-22 |
Smart-UPS Family:
Product | Affected Versions | CVEs |
---|---|---|
SMT Series | SMT Series ID=18: UPS 09.8 and prior SMT Series ID=1040: UPS 01.2 and prior SMT Series ID=1031: UPS 03.1 and prior | CVE-2022-0715 |
SMC Series | SMC Series ID=1005: UPS 14.1 and prior SMC Series ID=1007: UPS 11.0 and prior SMC Series ID=1041: UPS 01.1 and prior | CVE-2022-0715 |
SCL Series | SCL Series ID=1030: UPS 02.5 and prior SCL Series ID=1036: UPS 02.5 and prior | CVE-2022-0715 |
SMX Series | SMX Series ID=20: UPS 10.2 and prior SMX Series ID=23: UPS 07.0 and prior | CVE-2022-0715 |
SRT Series | SRT Series ID=1010/1019/1025: UPS 08.3 and prior SRT Series ID=1024: UPS 01.0 and prior SRT Series ID=1020: UPS 10.4 and prior SRT Series ID=1021: UPS 12.2 and prior SRT Series ID=1001/1013: UPS 05.1 and prior SRT Series ID=1002/1014: UPSa05.2 and prior | CVE-2022-0715 |
There are three ways to secure your APC Smart-UPS devices from TLStorm vulnerabilities:
Upgrade firmware through SmartConnect: New firmware will be available for the devices connected to SmartConnect. Follow the instructions on the portal to install the updates.
Use the Firmware Upgrade Wizard directly to upgrade the devices that are not connected to the SmartConnect.
The third method to upgrade the firmware is through NMC. Devices can be upgraded remotely using this method.
The vendor said that they are working on a remediation plan for Smart-UPS SCL, SMX, and SRT Series and SmartConnect SMTL, SCL, and SMX Series that will include fixes for these vulnerabilities. Please maintain close contact with the vendor for further updates. Till then, follow these steps to secure your APC Smart-UPS devices from TLStorm vulnerabilities.
Disable the SmartConnect feature from the front panel.
If possible, disconnect any network cable connected to the UPS.
Make sure you follow all the recommendations.
Recommendations:
Download the firmware only from the official Schneider Electric website.
Locate control and safety system networks and remote devices behind firewalls and isolate them from the network.
Restrict unauthorized access to the control and safety systems, components, peripheral equipment, and networks.
Restrict any gadgets that have storage and network features, such as smartphones and USB devices.
We hope this post would help you know How to Secure Your APC Smart-UPS Devices from TLStorm Vulnerabilities. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
Multiple Vulnerabilities in CyberPower and DataProbe Products- Patch Them ASAP
How to Fix CVE-2023-2131- A Critical RCE Vulnerability in ME RTU Remote Terminal Units?
How To Fix CVE-2021-45608- A RCE Vulnerability In NetUSB Affect Millions Of Routers?
Fix Multiple Critical Vulnerabilities In Cisco RV Series Routers
How To Fix CVE-2022-20777- A Critical Guest Escape Vulnerability In Cisco NFVIS
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.