Home / About / Threat Intelligence / Zero-Click Vulnerability in APC Smart-UPS and Smart-Connect Devices

Overview

Vulnerabilities within APC Smart-UPS products could allow attackers the ability to remotely manage devices, and to cause physical damage by taking down an organisation’s critical infrastructure.

UPS devices provide emergency backup power for mission-critical assets that require high availability. It has been estimated that approximately 20 million devices are impacted by this vulnerability.

Three vulnerabilities have been disclosed:

CVE-2022-22805 (CVSS3.1 9.0) – TLS buffer overflow/memory-corruption bug in packet reassembly leading to remote code execution

CVE-2022-22806 (CVSS3.1 9.0) – TLS authentication bypass

CVE-2022-0715 (CVSS3.1 8.9) – Firmware updates on affected devices are not cryptographically signed in a secure manner

Impact

According to researchers, by exploiting TLStorm attackers could remotely take over the devices and use them to breach a company’s internal network and steal data. Moreover, by cutting power for mission-critical appliances or services, attackers also could cause physical injury or disrupt business services.

The vulnerabilities also allow attackers to gain remote code execution (RCE) on devices; this in turn could be used to alter the operation of the UPS to physically damage the device itself or assets connected to it.

Impacted Devices

#Smart-UPS Family

SCL Series SCL Series ID=1030: UPS 02.5 and prior
SCL Series ID=1036: UPS 02.5 and prior

SMC Series ID=1005: UPS 14.1 and prior
SMC Series ID=1007: UPS 11.0 and prior
SMC Series ID=1041: UPS 01.1 and prior

SMT Series ID=18: UPS 09.8 and prior
SMT Series ID=1040: UPS 01.2 and prior
SMT Series ID=1031: UPS 03.1 and prior

SMX Series ID=20: UPS 10.2 and prior
SMX Series ID=23: UPS 07.0 and prior

SRT Series ID=1010/1019/1025: UPS 08.3 and prior
SRT Series ID=1024: UPS 01.0 and prior
SRT Series ID=1020: UPS 10.4 and prior
SRT Series ID=1021: UPS 12.2 and prior
SRT Series ID=1001/1013: UPS 05.1 and prior
SRT Series ID=1002/1014: UPSa05.2 and prior

#SmartConnect Family

MTL Series ID=1026: UPS 02.9 and prior

SCL Series ID=1029: UPS 02.5 and prior
SCL Series ID=1030: UPS 02.5 and prior
SCL Series ID=1036: UPS 02.5 and prior
SCL Series ID=1037: UPS 03.1 and prior

SMC Series ID=1018: UPS 04.2 and prior

SMT Series ID=1015: UPS 04.5 and prior

SMX Series ID=1031: UPS 03.1 and prior

Vulnerability Detection

Depending on the connectivity of devices, versions of the firmware in use can be checked via the portal, the Network Management Controller or, for devices with display, manually through the options.

Containment, Mitigations & Remediations

There are three ways to apply remediation:

  1. For units connected to the SmartConnect Portal – new firmware will become available automatically. Follow prompts via the portal or display to install new firmware.
  2. For units not connected to the SmartConnect Portal – use the Firmware Upgrade Wizard to install the new firmware.
  3. For those devices which include a NMC – it can be used to remotely update the firmware of the UPS.

Note: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature.
For customers who use the network management card (NMC), it is advised to change the default password (“apc”) and install a publicly signed SSL certificate.

Schneider Electric also recommends:

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices

Indicators of Compromise

There are no IoCs associated with these vulnerabilities at this time.

Threat Landscape

Schneider Electric are very good at releasing patches and maintaining their products. However, they tend to release their patches on the same day as Microsoft and, as a result, tend not to get the focus and attention that they often need. While Microsoft products are understandably prioritised for patching, remediation, and mitigation, this is often down to the obviousness of their presence.

APC Smart devices are very common in data centres, server rooms and communication rooms around the globe and play a critical role in providing and smoothing power to core infrastructures.

Devices such as these should be considered to be part of an organisation’s critical Operational Technology (OT) infrastructure and maintained accordingly.
There is precedence for attackers targeting UPS and power distribution devices to take down critical infrastructure. Most notably the 2015 targeting of the Ukrainian power grid which led to widespread power outages.

Mitre Methodologies

T1552 -Unsecured Credentials
T1556 – Modify Authentication Process
T0875 – System Firmware
T0836 – Modify Parameter
T0881 – Service Stop
T0816 – Device Restart/Shutdown
T0826 – Loss of Availability

Further Information

Armis Report
Schneider Electric Bulletin
ThreatPost