APC, one of the leaders in backup power supply products are on the receiving end of three new vulnerabilities which may put millions of organizations at risk.
APC's smart uninterruptible power supply devices are commonly used in data centers, health care and industrial facilities as a safeguard against data loss during power outage events. They are sophisticated pieces of equipment with built-in network connectivity that allow for direct access to a management dashboard as well as a cloud integration in the newer models.
Researchers at Armis Labs discovered three critical vulnerabilities (Dubbed “TLStorm”) in the smart-UPS and SmartConnect devices that, if collectively exploited, could allow attackers to disable, alter and even destroy the units. A demonstration performed by Armis researchers can be viewed here, showing how units can be tampered with to the point where the device overheats and nearly catches fire.
Two of the three vulnerabilities exploit a flaw in the communication between the device and the cloud of the parent company (Schneider Electric). When communication to the device is lost, the Smart-UPS will attempt to reestablish connection; this is where attackers can trigger the vulnerabilities by sending unauthenticated packets to the device which allows them to bypass authentication. This is considered a “Zero-Click” attack as it does not require user interaction to be performed.
The third vulnerability affects the devices mechanism for upgrading firmware where the updates are not cryptographically signed, allowing the attacker to forge a malicious version of the firmware, which the device will automatically install when connection to the network is reestablished. This malicious firmware can be crafted to provide full access to the device and be used as a foothold in gaining further access to a network.
This discovery from Armis Labs depicts a new era of threats facing devices that both, regulate high voltage, and maintain a connection to the internet. Malicious actors could miniplate vulnerable devices and cause physical damage from a remote location. In the hit show Mr. Robot, (spoiler warning) an attack in striking resemblance to TLStorm was launched against a data center causing back up power units to overheat and explode. What was once a fictional scenario could now be a reality.
Schneider Electric have released a security notification outlining which models are affected and provide suggestions for users to remediate the issues. See below for affected versions as well as remediation strategy:
Affected models
Product |
Affected Version |
Smart-UPS family |
|
SMT Series |
SMT Series ID=18: UPS 09.8 and prior |
SMC Series |
SMC Series ID=1005: UPS 14.1 and prior |
SCL Series |
SCL Series ID=1030: UPS 02.5 and prior |
SMX Series |
SMX Series ID=20: UPS 10.2 and prior |
SRT Series |
SRT Series ID=1010/1019/1025: UPS 08.3 and prior |
SmartConnect Family |
|
SMT Series |
SMT Series ID=1015: UPS 04.5 and prior |
SMC Series |
SMC Series ID=1018: UPS 04.2 and prior |
SMTL Series |
SMTL Series ID=1026: UPS 02.9 and prior |
SCL Series |
SCL Series ID=1029: UPS 02.5 and prior SCL Series ID=1030: UPS 02.5 and prior SCL Series ID=1036: UPS 02.5 and prior SCL Series ID=1037: UPS 03.1 and prior |
SMX Series |
SMX Series ID=1031: UPS 03.1 and prior |
Remediations/Mitigations
Affected Products |
Remediations |
Smart-UPS SMT and SMC Series |
There are three ways to apply this remediation:
When downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation. Note: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature To verify new firmware version post-installation: Go to the About screen on local display, the SmartConnect portal, or on the NMC and confirm that the UPS firmware Revision is UPS 04.6 (SMT series) and UPS 04.3 (SMC series) In addition to the remediations above, customers should immediately apply the General Security Recommendations to reduce the risk of exploit. |
Smart-UPS SCL, SMX, and SRT Series SmartConnect SMTL, SCL, and SMX Series |
Schneider Electric is establishing a remediation plan for Smart-UPS SCL, SMX, and SRT Series and SmartConnect SMTL, SCL, and SMX Series that will include fixes for these vulnerabilities. We will update this document when the remediation is available. Until then, customers should immediately apply the following mitigations provided below to reduce the risk of exploit: |
Mitigations to reduce the risk of exploit |
|
|
|
