Armis security researchers have uncovered three vulnerabilities in APC's managed uninterruptible power supplies that allow remote control and manipulation of the device, such as turning off power to certain ports or using it as a springboard for attacks on other systems. The vulnerabilities are codenamed TLStorm and affect APC Smart-UPS (SCL, SMX, SRT series) and SmartConnect (SMT, SMTL, SCL and SMX series).
Two vulnerabilities are caused by errors in the implementation of the TLS protocol in devices managed through a centralized cloud service from Schneider Electric. SmartConnect series devices automatically connect to a centralized cloud service upon startup or loss of connection, and an attacker without authentication can exploit vulnerabilities and gain full control over the device by sending specially designed packets to UPS.
- CVE-2022-22805 - Buffer overflow in packet reassembly code exploited while processing incoming connections. The problem is caused by copying data to the buffer while processing fragmented TLS records. The exploitation of the vulnerability is facilitated by incorrect error handling when using the Mocana nanoSSL library - after returning an error, the connection was not closed.
- CVE-2022-22806 - Authentication bypass when establishing a TLS session caused by a state error during connection negotiation. Caching an uninitialized null TLS key and ignoring the error code returned by the Mocana nanoSSL library when a packet with an empty key was received made it possible to pretend to be a Schneider Electric server without going through the key exchange and verification stage.
The third vulnerability (CVE-2022-0715) is associated with an incorrect implementation of checking firmware downloaded for updating and allows an attacker to install modified firmware without verifying the digital signature (it turned out that the firmware does not check the digital signature at all, but only uses symmetric encryption with a key predefined in the firmware) .
Combined with the CVE-2022-22805 vulnerability, an attacker could replace the firmware remotely by impersonating a Schneider Electric cloud service or by initiating an update from a local network. Having gained access to the UPS, an attacker can place a backdoor or malicious code on the device, as well as perform sabotage and turn off the power to important consumers, for example, turn off the power to video surveillance systems in banks or life support devices in hospitals.
Schneider Electric has prepared patches to fix problems, and is also preparing a firmware update. To reduce the risk of compromise, it is additionally recommended to change the default password ("apc") on devices with an NMC (Network Management Card) card and install a digitally signed SSL certificate, as well as restrict access to UPS on the firewall to only Schneider Electric Cloud addresses.
Source: opennet.ru