The security firm Armis has located three vulnerabilities in Schneider Electric’s APC Smart-UPS devices. These flaws are being tracked under the name “TLStorm.” This vulnerability can enable remote attackers to control the power of millions of enterprise devices to conduct cyber-physical attacks. Barracuda MSP recommends updating affected APC Smart-UPS as soon as possible with the latest patch release for the vulnerability.
Technical detail and additional info
What is the threat?
The TLStorm vulnerability can allow threat actors to gain control over Smart Uninterrupted Power Supply (UPS) devices and cause both physical and damage within cyberspace. After a threat actor has control of the device, they can install malicious firmware to initiate attacks on other devices in the environment or damage the device by manipulating the power consumption. An attacker can take over the device by triggering one of the three TLStorm vulnerabilities. Two of the vulnerabilities, known as TLS authentication bypass and TLS buffer overflow, reside in the TLS implementation utilized by cloud-connected Smart UPS devices. They can allow attackers to bypass the authentication process or implement a memory corruption bug within the packet reassembly process. The third vulnerability is considered an unsigned firmware upgrade which an attacker can deploy a malicious update to the device over the network to maintain persistence.
Why is it noteworthy?
The Smart Uninterrupted Power Supply (UPS) is a widely used device for providing emergency backup power for critical assets that require high availability within an enterprise environment. The security company Armis have discovered that 8 out of 10 companies are exposed to the TLStorm vulnerabilities. When exploited, the attackers can implement code execution on a device and change the functionality of the UPS to damage the device or other devices connected to it.
What is the exposure or risk?
If attackers gain control over these Smart UPS devices, they can use it as a foothold to gain access to your internal network. Once they have a foothold in-place, attackers can infect other devices on your network with ransomware. Also, they can increase the power consumption on your Smart UPS unit causing internal damage rendering it inoperable. When the UPS is damaged, any critical device(s) can no longer operate leaving your company at a major loss.
What are the recommendations?
Barracuda MSP recommends updating to the latest patch release from the device manufacturer Schneider Electric’s APC. There are other mitigation techniques that can be followed such as changing the default password of the Network Management Card (NMC). Also, it is recommended to install a publicly-signed SSL certificate on the device as well. This will lessen the risk of an attacker trying to intercept the new password. Also, network administrators can implement access control lists which the APC unit can communicate with a limited number of managed devices and the Schneider Electric Cloud via encrypted communication.
References
For more in-depth information about the recommendations, please visit the following links:
- https://securityaffairs.co/wordpress/128867/hacking/tlstorm-flaws-ups-devices.html
- https://threatpost.com/zero-click-flaws-ups-critical-infratructure/178810/
- https://www.techtarget.com/searchsecurity/news/252514305/Researchers-uncover-vulnerabilities-in-APC-Smart-UPS-devices
If you have any questions, please contact our Security Operations Center.
This post was based on a threat advisory issued by our Barracuda Managed XDR team. For more info on how to best prepare your MSP business to protect clients from cyberthreats, visit the Barracuda Managed XDR page.
