Skip links

Millions of APC Smart-UPS devices vulnerable to TLStorm

If you’re managing a smart model from ubiquitous uninterrupted power supply (UPS) device brand APC, you need to apply updates now – a set of three critical zero-day vulnerabilities are making Smart-UPS devices a possible entry point for network infiltration.

The vulnerabilities, dubbed “TLStorm” were found in Schneider Electric’s APC Smart-UPS products by security firm Armis, which made the info public on Tuesday.

The name stems from the Transport Layer Security (TLS) implementation where two out of the three vulnerabilities were found.

The affected UPSes – ranging across 10 product lines listed here [PDF] – cater to small to medium businesses, providing backup power in emergency situations.

A full list of models affected by the TLStorm vulnerabilities is available in Schneider Electric’s own security advisory here [PDF]. We have asked Schneider how many of the affected Smart-UPS models have been sold and for details on any models that were not affected.

Schneider Electric says on its product page that it has sold over 20 million units of its Smart-UPS brand, calling it an “ideal UPS for servers, point-of-sale, routers, switches, hubs and other network devices.”

Potential weaponized power outages

According to Armis, a complete remote takeover via the internet is possible as the devices are controlled through a cloud connection, potentially without even any signs of an attack through remote code execution. An exploitation could result in weaponized power outages or surges of battery function affecting both the power supply and other connected systems, as well as breaches of company data or installed malware.

Such attacks have happened before. Notably, and topically, threat actors attacked the Ukrainian power grid in 2015. Alongside other actions, according to US federal agents at the Cybersecurity and Infrastructure Security Agency at the time, the attackers scheduled disconnects for server UPS through its remote management interface, leading to a wide-scale power outage.

The first two of the three TLS vulnerabilities found by Armis come about due to an improper connection between the UPS and APC parent company Schneider Electric’s cloud via its SmartConnect feature.

SmartConnect automatically establishes a TLS connection upon startup or whenever cloud connections are temporarily lost. Both vulns require no human interaction and can be exploited as a zero-click attack.

The restart could enable the TLS handshake to bypass authentication potentially resulting in an unauthorized firmware upgrade, or a buffer overflow memory corruption bug in packet reassembly could lead to a remote code execution.

The authentication bypass is tracked as CVE-2022-22806, and the buffer overflow as CVE-2022-22805. Both are rated at 9 out of 10 on the CVSS bug-severity scale.

The third vulnerability is a design flaw, rated ever-so-minutely better than the two TLS vulnerabilities with an 8.9 bug severity and tracked as CVE-2022-0715. In this flaw, the firmware updates are not cryptographically signed securely, allowing a potential attacker to install malware through the internet, LAN or a USB thumb drive, asserted Armis.

“Schneider Electric is aware of the vulnerabilities associated with APC Smart-UPS uninterruptible power supply devices which, if compromised, may allow for potential unauthorized access and control of the device,” said Schneider Electric, adding that it was working to develop remediations and mitigations, as well as disclose to customers and end-users.

Schneider Electric has issued patches while the researchers advised changing default network management card passwords where applicable and installing publicly-signed SSL certificates. Access control lists are also said to help.

Armis said there’s currently no indication the flaws are being exploited in the wild. ®