Security researchers from Armis have disclosed a set of three critical vulnerabilities in APC Smart-UPS devices, cumulatively called TLStorm vulnerabilities. A remote attacker can string these vulnerabilities together to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. The report published says that nearly 80% of the devices deployed in Governmental, Healthcare, Industrial, IT, Retail, and other sectors are vulnerable to TLStorm vulnerabilities. So, it is important to know more about the flaws before being hit by the worst. We have created this post to let all the people know How to Secure Your APC Smart-UPS Devices from TLStorm Vulnerabilities.
To understand the significance of TLStorm vulnerabilities, you should know how big the APC network is. APC is a leading UPS manufacturer with over 20 million devices sold globally. Armis’s report says that 8 out of 10 devices are vulnerable, which pushes around 16 million devices into the risk of TLStorm.
Table of Contents
What Is UPS?
UPS stands for Uninterruptible power supply. As its name says, it is a device that is designed to provide a consistent power supply to the critical servers and other assets in case of power cuts or disruptions. The primary reason to deploy these devices is to ensure devices are in function even in case of power issues.
What Is TLStorm Vulnerabilities?
TLStorm is a set of three critical vulnerabilities that allow attackers to remotely take over devices covertly over the Internet without any user interaction or signs of attack.
- CVE-2022-22806: TLS authentication bypass
- CVE-2022-22805: TLS buffer overflow
- CVE-2022-0715: Unsigned firmware upgrade
Attackers can chain these vulnerabilities to perform a remote code execution (RCE) attack on a vulnerable APC UPS device and can physically damage the device (other devices connected to it) by altering its operations.
Summary Of The TLStorm Vulnerabilities:
As you already know, TLStorm vulnerabilities are made up of three vulnerabilities, of which two are due to improper implementation of TLS connection between the device and the Schneider Electric cloud, and the remaining one is due to improper validation of signature in the firmware software. These vulnerabilities are known as ZeroClick attacks, as they can be triggered without any user interaction.
CVE-2022-22806
The CVE-2022-22806 vulnerability Is a TLS authentication bypass vulnerability due to an improper TLS handshake. This vulnerability allows attackers to carry out remote code execution (RCE) through the firmware upgrade process.
Associated CVE ID | CVE-2022-22806 |
Description | Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent. |
Associated ZDI ID | – |
CVSS Score | 9.0 Critical |
Vector | CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | High |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Changed |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
CVE-2022-22805:
The 2nd CVE-2022-22805 vulnerability is a TLS buffer overflow vulnerability due to a memory corruption bug in packet reassembly.
Associated CVE ID | CVE-2022-22805 |
Description | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled. |
Associated ZDI ID | – |
CVSS Score | 9.0 Critical |
Vector | CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | High |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Changed |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
CVE-2022-0715:
The 3rd CVE-2022-0715: vulnerability is a design flaw that failed to validate whether the firmware is cryptographically signed. This failure will leave a gap for attackers to perform supply chain attacks by creating infected firmware and installing it using various paths, including the Internet, LAN, or a USB thumb drive. This would allow attackers to take control of the device and operate as they need.
Associated CVE ID | CVE-2022-0715 |
Description | Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS if a key is leaked and used to upload malicious firmware. |
Associated ZDI ID | – |
CVSS Score | 8.9 High |
Vector | CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Impact Score | – |
Exploitability Score | – |
Attack Vector (AV) | Network |
Attack Complexity (AC) | High |
Privilege Required (PR) | None |
User Interaction (UI) | None |
Scope | Changed |
Confidentiality (C) | High |
Integrity (I) | High |
availability (a) | High |
Devices Affected By TLStorm Vulnerabilities:
These vulnerabilities affect around 80% of the APC Smart-UPS devices around the world. The below table is going to be important information for those who have been using the APC Smart-UPS in their home, office, industries, hospitals, and anywhere.
SmartConnect Family:
Product | Affected Versions | CVEs |
---|---|---|
SMT Series | SMT Series ID=1015: UPS 04.5 and prior | CVE-2022-22805 CVE-2022-22806 CVE-2022-0715 |
SMC Series | SMC Series ID=1018: UPS 04.2 and prior | CVE-2022-22805 CVE-2022-22806 CVE-2022-0715 |
SMTL Series | SMTL Series ID=1026: UPS 02.9 and prior | CVE-2022-22805 CVE-2022-22806 CVE-2022-0715 |
SCL Series | SCL Series ID=1029: UPS 02.5 and prior SCL Series ID=1030: UPS 02.5 and prior SCL Series ID=1036: UPS 02.5 and prior SCL Series ID=1037: UPS 03.1 and prior |
CVE-2022-22805 CVE-2022-22806 CVE-2022-0715 |
SMX Series | SMX Series ID=1031: UPS 03.1 and prior | CVE-2022-22805 CVE-2022-22 |
Smart-UPS Family:
Product | Affected Versions | CVEs |
---|---|---|
SMT Series | SMT Series ID=18: UPS 09.8 and prior SMT Series ID=1040: UPS 01.2 and prior SMT Series ID=1031: UPS 03.1 and prior |
CVE-2022-0715 |
SMC Series | SMC Series ID=1005: UPS 14.1 and prior SMC Series ID=1007: UPS 11.0 and prior SMC Series ID=1041: UPS 01.1 and prior |
CVE-2022-0715 |
SCL Series | SCL Series ID=1030: UPS 02.5 and prior SCL Series ID=1036: UPS 02.5 and prior |
CVE-2022-0715 |
SMX Series | SMX Series ID=20: UPS 10.2 and prior SMX Series ID=23: UPS 07.0 and prior |
CVE-2022-0715 |
SRT Series | SRT Series ID=1010/1019/1025: UPS 08.3 and prior SRT Series ID=1024: UPS 01.0 and prior SRT Series ID=1020: UPS 10.4 and prior SRT Series ID=1021: UPS 12.2 and prior SRT Series ID=1001/1013: UPS 05.1 and prior SRT Series ID=1002/1014: UPSa05.2 and prior |
CVE-2022-0715 |
How To Secure Your APC Smart-UPS Devices From TLStorm Vulnerabilities?
There are three ways to secure your APC Smart-UPS devices from TLStorm vulnerabilities:
- Upgrade firmware through SmartConnect: New firmware will be available for the devices connected to SmartConnect. Follow the instructions on the portal to install the updates.
- Use the Firmware Upgrade Wizard directly to upgrade the devices that are not connected to the SmartConnect.
- The third method to upgrade the firmware is through NMC. Devices can be upgraded remotely using this method.
The vendor said that they are working on a remediation plan for Smart-UPS SCL, SMX, and SRT Series and SmartConnect SMTL, SCL, and SMX Series that will include fixes for these vulnerabilities. Please maintain close contact with the vendor for further updates. Till then, follow these steps to secure your APC Smart-UPS devices from TLStorm vulnerabilities.
- Disable the SmartConnect feature from the front panel.
- If possible, disconnect any network cable connected to the UPS.
- Make sure you follow all the recommendations.
Recommendations:
- Download the firmware only from the official Schneider Electric website.
- Locate control and safety system networks and remote devices behind firewalls and isolate them from the network.
- Restrict unauthorized access to the control and safety systems, components, peripheral equipment, and networks.
- Restrict any gadgets that have storage and network features, such as smartphones and USB devices.
We hope this post will help you know How to Secure Your APC Smart-UPS Devices from TLStorm Vulnerabilities. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270174.html