Attackers can exploit cloud-connected APC Smart-UPS units to take control of the devices they protect. Credit: Thinkstock Security researchers have found several vulnerabilities affecting many models of APC Smart-UPS uninterruptible power supplies that could be exploited to take over the devices. UPS devices are used across many industries to keep mission-critical devices running in case of power loss.“Two of these are remote code execution (RCE) vulnerabilities in the code handling the cloud connection, making these vulnerabilities exploitable over the Internet,” researchers from security firm Armis, who found the flaws, said in a report. The company has dubbed the vulnerabilities TLStorm because they’re located in the TLS implementation used in cloud-connected Smart-UPS devices.APC, a division of Schneider Electric, is one of the market leaders for UPS devices. Its Smart-UPS line of products was launched in 1990 and the company estimates over 20 million units sold to date. Some of the newer models feature a technology called SmartConnect that makes them network enabled and allows users to monitor their status through cloud-based web portal and to issue firmware updates. Three APC vulnerabilities exploitable without user interaction“Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost,” the Armis researchers said. “Attackers can trigger the vulnerabilities via unauthenticated network packets without any user interaction.” One of the flaws, tracked as CVE-2022-22805, is a buffer overflow memory corruption in the TLS packet reassembly, while another, CVE-2022-22806, is an authentication bypass due to a confusion in the TLS handshake that can allow attackers to perform rogue firmware upgrades over the network. Both flaws are rated 9.0 (critical) on the CVSS severity scale.A third vulnerability, CVE-2022-0715, is described as a design flaw that stems from the lack of cryptographic signature verification for deployed firmware. This enables attackers to deploy maliciously modified firmware through the TLS vulnerabilities, but also through other firmware update paths such as LAN or an USB thumb drive. “This modified firmware could allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network to launch additional attacks,” the Armis researchers said.Remediation for the APC UPS vulnerabilitiesSchneider Electric has released firmware updates for some of the impacted models that partially address one or more of the vulnerabilities. Firmware Version UPS 04.6 (SMT series) and Version UPS 04.3 (SMC series) include a fix for CVE-2022-22805 and CVE-2022-22806 and a partial remediation for CVE-2022-0715, for the Smart-UPS and SmartConnect UPS SMT and SMC series.However, more product lines are affected. These include the Smart-UPS SCL, SMX and SRT Series and the SmartConnect SMTL, SCL and SMX Series. For these models, the company is working on firmware patches, but in the meantime it advises customers to either disable the SmartConnect feature from the device’s front panel if applicable or disconnect any network cable connected to the affected UPS. Schneider also has a recommended cybersecurity best practices document.There is no evidence that these vulnerabilities have been exploited in the wild so far and UPS devices have not historically been a target for cyberattacks. However, as more traditional devices receive network and cloud connectivity for remote management purposes, they can become a security risk for the networks they’re in because they essentially become computers on the network. The risks are further increased depending on the functions they serve. The primary goal of uninterruptible power supplies is to keep other critical devices and processes running and the impact of unplanned shutdown of those devices and processes could be very serious to asset owners. Related content news NIST publishes new guides on AI risk for developers and CISOs Companion publications to NIST’s AI Risk Management Framework explore a long worry list in more detail and are likely to become essential reading for security professionals. By John Dunn May 01, 2024 4 mins Regulation Government Security Practices news analysis 5 key takeways from Verizon's 2024 Data Breach Investigations Report The rapid of exploitation of zero-day vulnerabilities, such as MOVEit, and the effectiveness of ransomware attacks are two of the major findings from last year’s breach data. By Rosalyn Page May 01, 2024 5 mins Data Breach Zero-day vulnerability Data and Information Security feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff May 01, 2024 15 mins Technology Industry IT Skills Events feature 3 Windows vulnerabilities that may not be worth patching Some vulnerabilities eat up a security team’s time and resources yet provide little or nothing in the way of true protection. Some may even introduce more risk to a network. By Susan Bradley May 01, 2024 7 mins Windows Security Patch Management Software Security Practices PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe