Finding APC assets vulnerable to TLStorm
Researchers at Armis recently published details on three new vulnerabilities affecting cloud-connected APC Smart-UPS devices manufactured by Schneider Electric. Dubbed “TLStorm”, two of these vulnerabilities exist in the firmware TLS implementation, while the third vulnerability exists in the firmware update process.
The disclosed CVEs for TLStorm include:
- CVE-2022-22806 (CVSS “critical” score of 9.9) - Authentication bypass via state confusion during TLS handshake
- CVE-2022-22805 (CVSS “critical” score of 9.9) - Pre-authentication buffer overflow in TLS
- CVE-2022-0715 (CVSS “high” score of 8.9) - Unsigned firmware deployment via the network or USB
Successful exploitation of these vulnerabilities can provide unauthenticated remote code execution to a remote attacker on vulnerable APC devices that are using the SmartConnect feature (which connects them to the cloud). This opens the door to attacks that could damage the UPS device itself, attacks that could damage devices connected to the UPS, and the attacker establishing a foothold on the private corporate network..
Armis coordinated with Schneider Electric on the publishing of TLStorm, and Schneider Electric encourages owners of affected APC Smart-UPS devices to update with available patched firmware. Armis offers additional mitigation techniques for improved safety (see “How can you secure your UPS devices?”).
hw:apc AND protocol:tls
Find APC Smart-UPS devices on your network
runZero deploys and bulds your asset inventory in minutes. Get results immediately.Start a free trial
October 11, 2022
Finding FortiOS, FortiProxy, and FortiSwitchManager assets on your network
A critical authentication bypass vulnerability was found in the web administration interface of some Fortinet products. Tracked as CVE-2022-40684, successful exploitation of this vulnerability via crafted HTTP and HTTPS requests can provide remote attackers with admin-level …
September 30, 2022
Finding Microsoft Exchange Servers on your network
GTSC, a Vietnamese security firm, recently discovered two zero-day vulnerabilities that affect Microsoft Exchange Server 2013, 2016, and 2019. These two vulnerabilities are being tracked as CVE-2022-41040 and CVE-2022-41082.
August 4, 2022
Finding DrayTek Vigor routers
The Trellix Threat Labs Vulnerability Research team recently published vulnerability details affecting almost 30 models of DrayTek Vigor routers. This vulnerability resides in the management interface login page and is trivial to exploit via buffer overflow. An …Read More