Security News > 2022 > March > APC UPS zero-day bugs can remotely burn out devices, disable power
A set of three critical zero-day vulnerabilities now tracked as TLStorm could let hackers take control of uninterruptible power supply devices from APC, a subsidiary of Schneider Electric.
UPS devices act as emergency power backup solutions and are present in mission-critical environments such as data centers, industrial facilities, hospitals.
Two of the vulnerabilities, CVE-2022-22805 and CVE-2022-22806 are in the implementation of the TLS protocol that connects the Smart-UPS devices with the "SmartConnect" feature to the Schneider Electric management cloud.
While the firmware is encrypted, it lacks a cryptographic signature, allowing threat actors to create a malicious version of it and deliver it as an update to target UPS devices to achieve remote code execution.
The latest Smart-UPS devices featuring the SmartConnect cloud connection functionality can be upgraded from the cloud management console over the Internet.
Deploy access control lists in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-09 | CVE-2022-22806 | Authentication Bypass by Capture-replay vulnerability in Schneider-Electric products A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent. | 9.8 |
| 2022-03-09 | CVE-2022-22805 | Classic Buffer Overflow vulnerability in Schneider-Electric products A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled. | 9.8 |