Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Millions of APC Smart UPS Devices Can Be Remotely Hacked, Damaged

Uninterruptible power supply (UPS) products made by Schneider Electric subsidiary APC are affected by critical vulnerabilities that can be exploited to remotely hack and damage devices, according to enterprise device security company Armis.

Uninterruptible power supply (UPS) products made by Schneider Electric subsidiary APC are affected by critical vulnerabilities that can be exploited to remotely hack and damage devices, according to enterprise device security company Armis.

Armis researchers have identified three vulnerabilities in APC Smart-UPS devices, which they collectively named TLStorm.

APC says it has sold more than 20 million UPS devices worldwide and data from Armis shows that nearly 80% of companies are exposed to TLStorm attacks. UPS devices are used in data centers, hospitals and industrial facilities, and attacks targeting these systems can have serious consequences.

APC UPS vulnerabilitiesArmis researchers have analyzed the communications between the APC Smart-UPS devices and their remote management services, and discovered vulnerabilities in the TLS implementation and a design flaw related to firmware upgrades.

One security hole, tracked as CVE-2022-22806, has been described as a TLS authentication bypass issue that can lead to remote code execution. The second TLS-related flaw, CVE-2022-22805, has been described as a buffer overflow related to packet reassembly and it can also lead to remote code execution.

These vulnerabilities can be exploited remotely — including from the internet — by an unauthenticated attacker to “alter the operations of the UPS to physically damage the device itself or other assets connected to it,” Armis said.

The third vulnerability, CVE-2022-0715, is related to unsigned firmware updates. Due to the fact that firmware updates are not cryptographically signed, an attacker could create a malicious piece of firmware and install it from a USB drive, the network and even from the internet.

“This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried,” Armis explained.

In an effort to demonstrate the potential impact of these vulnerabilities, the cybersecurity firm has developed a proof-of-concept (PoC) exploit that causes a UPS’s internal circuitry to heat up until smoke comes out and the device becomes completely bricked.

Advertisement. Scroll to continue reading.

“Since the TLS attack vector can originate from the Internet, these vulnerabilities can act as a gateway to the internal corporate network,” Armis said. “Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall. They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.”

In a security advisory released on Tuesday, Schneider Electric said the vulnerabilities, which have been classified as “critical” and “high severity,” impact SMT, SMC, SCL, SMX, SRT, and SMTL series products. The company has started releasing firmware updates that contain patches for these vulnerabilities. In the case of products for which firmware patches are not available, Schneider has provided a series of mitigations for reducing the risk of exploitation.

Related: Critical Vulnerability Can Be Exploited to Hack Schneider Electric’s Modicon PLCs

Related: Flaws in Pneumatic Tube System Can Facilitate Cyberattacks on North American Hospitals

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.