• Home
  • |
  • Blog
  • |
  • How To Secure Your APC Smart-UPS Devices From TLStorm Vulnerabilities
How to Secure Your APC Smart-UPS Devices from TLStorm Vulnerabilities

Security researchers from Armis have disclosed a set of three critical vulnerabilities in APC Smart-UPS devices, cumulatively called TLStorm vulnerabilities. A remote attacker can string these vulnerabilities together to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. The report published says that nearly 80% of the devices deployed in Governmental, Healthcare, Industrial, IT, Retail, and other sectors are vulnerable to TLStorm vulnerabilities. So, it is important to know more about the flaws before being hit by the worst. We have created this post to let all the people know How to Secure Your APC Smart-UPS Devices from TLStorm Vulnerabilities.

To understand the significance of TLStorm vulnerabilities, you should know how big the APC network is. APC is a leading UPS manufacturer with over 20 million devices sold globally. Armis’s report says that 8 out of 10 devices are vulnerable, which pushes around 16 million devices into the risk of TLStorm. 

What Is UPS?

UPS stands for Uninterruptible power supply. As its name says, it is a device that is designed to provide a consistent power supply to the critical servers and other assets in case of power cuts or disruptions. The primary reason to deploy these devices is to ensure devices are in function even in case of power issues.

What Is TLStorm Vulnerabilities?

TLStorm is a set of three critical vulnerabilities that allow attackers to remotely take over devices covertly over the Internet without any user interaction or signs of attack.

  1. CVE-2022-22806: TLS authentication bypass
  2. CVE-2022-22805: TLS buffer overflow
  3. CVE-2022-0715: Unsigned firmware upgrade

Attackers can chain these vulnerabilities to perform a remote code execution (RCE) attack on a vulnerable APC UPS device and can physically damage the device (other devices connected to it) by altering its operations.

Summary Of The TLStorm Vulnerabilities:

As you already know, TLStorm vulnerabilities are made up of three vulnerabilities, of which two are due to improper implementation of TLS connection between the device and the Schneider Electric cloud, and the remaining one is due to improper validation of signature in the firmware software. These vulnerabilities are known as ZeroClick attacks, as they can be triggered without any user interaction.

CVE-2022-22806

The CVE-2022-22806 vulnerability Is a TLS authentication bypass vulnerability due to an improper TLS handshake. This vulnerability allows attackers to carry out remote code execution (RCE) through the firmware upgrade process.

Associated CVE IDCVE-2022-22806
DescriptionAuthentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent.
Associated ZDI ID
CVSS Score9.0 Critical
VectorCVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)High
Privilege Required (PR)None
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

CVE-2022-22805:

The 2nd CVE-2022-22805 vulnerability is a TLS buffer overflow vulnerability due to a memory corruption bug in packet reassembly.

See Also  Kaseya Rolled Out A Patch For VSA Supply-Chain Attack
Associated CVE IDCVE-2022-22805
DescriptionBuffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled.
Associated ZDI ID
CVSS Score9.0 Critical
VectorCVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)High
Privilege Required (PR)None
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

CVE-2022-0715:

The 3rd CVE-2022-0715: vulnerability is a design flaw that failed to validate whether the firmware is cryptographically signed. This failure will leave a gap for attackers to perform supply chain attacks by creating infected firmware and installing it using various paths, including the Internet, LAN, or a USB thumb drive. This would allow attackers to take control of the device and operate as they need.

Associated CVE IDCVE-2022-0715
DescriptionImproper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS if a key is leaked and used to upload malicious firmware.
Associated ZDI ID
CVSS Score8.9 High
VectorCVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)High
Privilege Required (PR)None
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Devices Affected By TLStorm Vulnerabilities:

These vulnerabilities affect around 80% of the APC Smart-UPS devices around the world. The below table is going to be important information for those who have been using the APC Smart-UPS in their home, office, industries, hospitals, and anywhere.

SmartConnect Family:

ProductAffected VersionsCVEs
SMT SeriesSMT Series ID=1015: UPS 04.5 and priorCVE-2022-22805
CVE-2022-22806
CVE-2022-0715
SMC SeriesSMC Series ID=1018: UPS 04.2 and priorCVE-2022-22805
CVE-2022-22806
CVE-2022-0715
SMTL SeriesSMTL Series ID=1026: UPS 02.9 and priorCVE-2022-22805
CVE-2022-22806
CVE-2022-0715
SCL SeriesSCL Series ID=1029: UPS 02.5 and prior
SCL Series ID=1030: UPS 02.5 and prior
SCL Series ID=1036: UPS 02.5 and prior 
SCL Series ID=1037: UPS 03.1 and prior
CVE-2022-22805
CVE-2022-22806
CVE-2022-0715
SMX SeriesSMX Series ID=1031: UPS 03.1 and priorCVE-2022-22805
CVE-2022-22

Smart-UPS Family:

ProductAffected VersionsCVEs
SMT SeriesSMT Series ID=18: UPS 09.8 and prior
SMT Series ID=1040: UPS 01.2 and prior
SMT Series ID=1031: UPS 03.1 and prior
CVE-2022-0715
SMC SeriesSMC Series ID=1005: UPS 14.1 and prior
SMC Series ID=1007: UPS 11.0 and prior
SMC Series ID=1041: UPS 01.1 and prior
CVE-2022-0715
SCL SeriesSCL Series ID=1030: UPS 02.5 and prior
SCL Series ID=1036: UPS 02.5 and prior
CVE-2022-0715
SMX SeriesSMX Series ID=20: UPS 10.2 and prior
SMX Series ID=23: UPS 07.0 and prior
CVE-2022-0715
SRT SeriesSRT Series ID=1010/1019/1025: UPS 08.3 and prior
SRT Series ID=1024: UPS 01.0 and prior
SRT Series ID=1020: UPS 10.4 and prior
SRT Series ID=1021: UPS 12.2 and prior
SRT Series ID=1001/1013: UPS 05.1 and prior
SRT Series ID=1002/1014: UPSa05.2 and prior
CVE-2022-0715

How To Secure Your APC Smart-UPS Devices From TLStorm Vulnerabilities?

There are three ways to secure your APC Smart-UPS devices from TLStorm vulnerabilities:

  1. Upgrade firmware through SmartConnect: New firmware will be available for the devices connected to SmartConnect. Follow the instructions on the portal to install the updates.
  2. Use the Firmware Upgrade Wizard directly to upgrade the devices that are not connected to the SmartConnect.
  3. The third method to upgrade the firmware is through NMC. Devices can be upgraded remotely using this method.
See Also  How To Fix CVE-2021-42392- A Critical Unauthenticated RCE In H2 Database Console?

The vendor said that they are working on a remediation plan for Smart-UPS SCL, SMX, and SRT Series and SmartConnect SMTL, SCL, and SMX Series that will include fixes for these vulnerabilities. Please maintain close contact with the vendor for further updates. Till then, follow these steps to secure your APC Smart-UPS devices from TLStorm vulnerabilities.

  1. Disable the SmartConnect feature from the front panel.
  2. If possible, disconnect any network cable connected to the UPS.
  3. Make sure you follow all the recommendations.

Recommendations:

  1. Download the firmware only from the official Schneider Electric website.
  2. Locate control and safety system networks and remote devices behind firewalls and isolate them from the network.
  3. Restrict unauthorized access to the control and safety systems, components, peripheral equipment, and networks.
  4. Restrict any gadgets that have storage and network features, such as smartphones and USB devices.

We hope this post would help you know How to Secure Your APC Smart-UPS Devices from TLStorm Vulnerabilities. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

Read More:

About the author

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience spanning IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

To know more about him, you can visit his profile on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.