Security researchers at Armis have detailed a trio of vulnerabilities in so-called Smart-UPS devices sold by Schneider Electric subsidiary APC that allow for unnoticeable remote code execution, replacing of firmware, and potentially burning out the entire unit.
Naturally in 2022, the flaws in the system stem from a combination of bad TLS implementation and being able to be controlled through a cloud-based system in newer devices.
“Since the TLS attack vector can originate from the internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall,” Armis said.
“They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.”
If a TLS connection has an error, rather than closing the connection as recommended by Mocana nanoSSL library writers, APC ignores some of the errors, which leaves the connection open and the library in a state it is not built to handle.
“Ignoring the nanoSSL library errors causes the UPS to cache the TLS