Researchers uncover vital vulnerabilities in APC Good-UPS units

Posted on

Why it issues: 3 vulnerabilities have been not too long ago found out affecting uninterruptable energy provides (UPS) made through APC. The vulnerability, labeled as vital and prime severity, is said to APC’s SMT, SMC, SCL, SMX, SRT, and SMTL product strains. The TLS-based assaults may end up in affects starting from bodily harm of the instrument itself to unauthorized get admission to to a goal’s interior networks.

Software safety company Armis found out the APC vulnerabilities. The assault vectors, jointly named TLStorm, supply hackers with the approach to execute faraway manipulation of the UPS. Those units provide backup energy for vital units and products and services in information facilities, hospitals, and different organizations requiring uninterrupted backup energy.

Malicious actors exploiting the vulnerability can carry out faraway code execution (RCE) assaults towards any prone APC Good-UPS instrument. Such assaults allow unauthorized customers to change the UPS’s operation, doubtlessly harmful the ability provide itself or any belongings hooked up to it. Hackers can execute the assault and not using a person interplay and depart no hint of a breach.

American Energy Conversion’s Good-UPS units use a cloud connection for all configuration and keep watch over. This faraway connectivity is the foundation for 2 of TLStorm’s 3 vulnerabilities. The 3rd is said to a design flaw fighting firmware updates from receiving protected cryptographic signatures.

  • CVE-2022-22806 – TLS authentication bypass: a state confusion within the TLS handshake results in authentication bypass, resulting in faraway code execution (RCE) the usage of a community firmware improve
  • CVE-2022-22805 – TLS buffer overflow: a reminiscence corruption worm in packet reassembly (RCE)
  • CVE-2022-0715 – Unsigned firmware improve that may be up to date over the community (RCE)

Armis researchers estimate that 8 out of ten corporations the usage of the units are lately liable to TLStorm-based assaults. Mitigation measures come with converting the default NMC password (“apc”), putting in a publicly signed SSL certificates, deploying get admission to keep watch over lists, and putting in the patches discovered at the Schneider Electrical web site.

Leave a Reply

Your email address will not be published.