Artificial Intelligence | News | Insights | AiThority
[bsfp-cryptocurrency style=”widget-18″ align=”marquee” columns=”6″ coins=”selected” coins-count=”6″ coins-selected=”BTC,ETH,XRP,LTC,EOS,ADA,XLM,NEO,LTC,EOS,XEM,DASH,USDT,BNB,QTUM,XVG,ONT,ZEC,STEEM” currency=”USD” title=”Cryptocurrency Widget” show_title=”0″ icon=”” scheme=”light” bs-show-desktop=”1″ bs-show-tablet=”1″ bs-show-phone=”1″ custom-css-class=”” custom-id=”” css=”.vc_custom_1523079266073{margin-bottom: 0px !important;padding-top: 0px !important;padding-bottom: 0px !important;}”]

Armis Finds Three Critical Zero-Day Vulnerabilities in APC Smart-UPS Devices, Dubbed “TLStorm,” Exposing More than 20 Million Enterprise Devices

Armis, the leader in unified asset visibility and security, announced the discovery of three zero-day vulnerabilities in APC Smart-UPS devices that can allow attackers to gain remote access. If exploited, these vulnerabilities, collectively known as TLStorm, allow threat actors to disable, disrupt, and destroy APC Smart-UPS devices and attached assets.

Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets in data centers, industrial facilities, hospitals, and more. APC is a subsidiary of Schneider Electric and is one of the leading vendors of UPS devices, with over 20 million devices sold worldwide.

“Until recently, assets, such as UPS devices, were not perceived as security liabilities. However, it has become clear that security mechanisms in remotely managed devices have not been properly implemented, meaning that malicious actors will be able to use those vulnerable assets as an attack vector,” said Barak Hadad, Head of Research, Armis. “It is vital that security professionals have complete visibility of all assets, along with the ability to monitor their behavior, to identify exploitation attempts of vulnerabilities such as TLStorm.”

Recommended AI News: dClimate Partners with Namibia to Create a Blockchain-Native Registry to Quantify and Monetize the Country’s Green Hydrogen

Enterprise Risk Exposure

Armis researches and analyzes various assets to help security leaders protect their organizations from new threats. For this research, Armis investigated APC Smart-UPS devices and their remote management and monitoring services due to the widespread use of APC UPS devices in our customers’ environments. The latest models use a cloud connection for remote management. Armis researchers found that an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the Internet without any user interaction or signs of attack.

The discovered vulnerabilities include two critical vulnerabilities in the TLS implementation used by cloud-connected Smart-UPS devices and a third high-severity vulnerability, a design flaw, in which firmware upgrades of most Smart-UPS devices are not correctly signed or validated.

Two of the vulnerabilities involve the TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost. Attackers can trigger the vulnerabilities via unauthenticated network packets without any user interaction.

Related Posts
1 of 40,831
  • CVE-2022-22805 – (CVSS 9.0) TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).
  • CVE-2022-22806 – (CVSS 9.0) TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.

Recommended AI News: Algorand Network Upgrade Expands Smart Contract Functionality with Contract-to-Contract Calls

The third vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secure manner. As a result, an attacker could craft malicious firmware and install it using various paths, including the Internet, LAN, or a USB thumb drive. This modified firmware could allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network to launch additional attacks.

  • CVE-2022-0715 – (CVSS 8.9) Unsigned firmware upgrade that can be updated over the network (RCE).

Abusing flaws in firmware upgrade mechanisms is becoming a standard practice of APTs, as has been recently detailed in the analysis of the Cyclops Blink malware, and improper signing of firmware is a recurring flaw in various embedded systems. For example, a previous vulnerability discovered by Armis in Swisslog PTS systems resulted from a similar type of flaw.

“TLStorm vulnerabilities occur in cyber-physical systems that bridge our digital and physical worlds, giving cyberattacks the possibility of real-world consequences,” said Yevgeny Dibrov, CEO and Co-founder of Armis. “The Armis platform addresses this hyper-connected reality, where one compromised identity and device can open the door to cyberattacks, and the security of every asset has become foundational to protect business continuity and brand reputation. Our ongoing research secures organizations by providing 100% complete visibility of their IT, cloud, IoT, OT, IoMT,  5G, and edge assets.”

Recommended AI News: Apixio’s New Apicare AuthAdvisor Leverages Machine Learning, Predictive Decision-Making

[To share your insights with us, please write to sghosh@martechseries.com]

Comments are closed.