The enterprise device security firm Armis has disclosed that cybercriminals can exploit severe flaws in Schneider Electric subsidiary APC’s uninterruptible power supply (UPS) systems to hack and damage devices remotely. Researchers at Armis discovered three flaws in APC Smart-UPS devices and collectively named them TLStorm.
More than 20 million UPS units have been sold globally, according to APC. Armis’s research reveals that approximately 80% of businesses are vulnerable to TLStorm attacks. Data centers, hospitals, and industrial facilities all employ UPS units, and cyberattacks on these systems can have catastrophic implications. Researchers from Armis looked into the interactions between APC Smart-UPS machines and their remote management services. They uncovered TLS implementation flaws and a design problem with firmware upgrades.
One vulnerability, identified as CVE-2022-22806, is a TLS authentication bypass flaw that can lead to remote code execution. CVE-2022-22805, the second TLS weakness, is defined as a buffer overflow linked to packet reassembly that can also lead to remote code execution. Armis said that unauthenticated attackers can exploit these vulnerabilities remotely, even over the internet, to “alter the operations of the UPS to physically damage the device itself or other assets connected to it.”
The third flaw, CVE-2022-0715, is linked to unsigned firmware upgrades. Because firmware updates are not cryptographically signed, a malicious piece of firmware might be created and installed from a USB drive, a network, or even the internet. Armis clarified that this might enable attackers to establish long persistence on UPS devices which may then be used as a base within the network to launch more attacks. To highlight the possible consequences of these flaws, the cybersecurity company created a proof-of-concept (PoC) hack that causes a UPS’s internal circuitry to heat up until smoke appears and the device is entirely bricked.
In a security alert posted on Tuesday, Schneider Electric claimed the vulnerabilities, which have been rated as “critical” and “high severity,” affect SMT, SMC, SCL, SMX, SRT, and SMTL series devices. The business has begun issuing firmware upgrades that include remedies for these flaws. Schneider has offered several mitigations for products for which firmware fixes are not available, lowering the likelihood of exploitation.