UPS flaws allow for remote code execution and remote fire-based interruptions
Security researchers at Armis have detailed a trio of vulnerabilities in so-called Smart-UPS devices sold by Schneider Electric subsidiary APC. These flaws allow for unnoticeable remote code execution, replacing of firmware, and potentially burning out the entire unit.
Ben Seri and Barak Hadad from Armis detailed the vulnerabilities in a blog post. “Armis has discovered a set of three critical zero-day vulnerabilities in APC Smart-UPS devices,” they announce. Further, these vulnerabilities “can allow remote attackers to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets.”
Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets. Data centers, industrial facilities, hospitals and other facilities use them extensively.
APC is one of the leading vendors of UPS devices with over 20 million devices sold worldwide. If exploited, these vulnerabilities, dubbed TLStorm, allow for complete remote take-over of Smart-UPS devices. They also provide the ability to carry out extreme cyber-physical attacks. According to Armis data, “lmost 8 out of 10 companies are exposed to TLStorm vulnerabilities.”
Attackers can take over remote devices over the Internet
The latest APC Smart-UPS models are controlled through a Cloud connection. Armis researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack. As a result, attackers can perform a remote-code execution (RCE) attack on a device. This in turn could allow attackers to alter the operations of the UPS to physically damage the device itself or other connected assets.
The bloggers then go on to detail the vulnerabilities and provide a list of affected devices.
“UPS devices, like many other digital infrastructure appliances, are often installed and forgotten,” they conclude. Since these devices connect to the same internal networks as the core business systems, exploitation attempts can have severe implications, they add.
“It’s important for security professionals to have complete visibility of all assets, along with the ability to monitor their behavior, in order to identify anomalies and/or exploit attempts. However traditional security solutions do not cover these assets. As a result, they remain “unseen” and therefore expose the organization to significant risk.”