Written by: Shlomi Feldman (Check Point), Barak Hadad (Armis)

Overview

Earlier this month, Armis discovered three critical vulnerabilities in APC Smart-UPS devices that allow attackers to remotely manipulate the power of millions of network-connected devices.

What’s at stake?

APC is a subsidiary of Schneider Electric, and is one of the leading vendors of UPS devices with over 20 million devices sold worldwide. With the vulnerabilities found in these devices, cybercriminals had the ability to carry out devastating attacks that target both physical devices and IT assets. These devices provide emergency backup power for mission-critical assets and can be found in data centers, industrial facilities, hospitals, and much more. Plain and simple – cybercriminals had the ability to remotely take over the devices that are connected to the organization’s network via the Internet (without any user interaction or signs of an attack).

According to Armis, almost 8 out of 10 companies are exposed to TLStorm vulnerabilities!

For a detailed synopsis on TLStorm and what occurred, head to Armis research page here. In this article, we will be covering how you can remain protected with Check Point + Armis.

More information on the vulnerabilities.

The set of discovered vulnerabilities include two critical vulnerabilities in the TLS implementation used by Cloud-connected Smart-UPS devices, as well as a third vulnerability, a design flaw, in which firmware upgrades of all Smart-UPS devices are not properly signed and validated.

Two of the vulnerabilities involve the TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection upon startup or whenever cloud connections are temporarily lost.

• Two critical vulnerabilities in the TLS implementation:
  • CVE-2022-22806 TLS authentication bypass: A state confusion in the TLS handshake leads to authentication bypass, leading to remote code execution (RCE) using a network firmware upgrade.
  • CVE-2022-22805 TLS buffer overflow: A memory corruption bug in packet reassembly (RCE).

These vulnerabilities can be triggered via unauthenticated network packets without any user interaction (ZeroClick attack).

The third vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secure manner. This means an attacker could craft malicious firmware and install it using various paths, including the Internet, LAN, or a USB thumb drive. This can allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network from which additional attacks can be carried.

• CVE-2022-0715 Unsigned firmware upgrade that can be updated over the network (RCE).

Abusing flaws in firmware upgrade mechanisms is becoming a standard practice of APTs, as has been recently detailed in the analysis of the Cyclops Blink malware, and improper signing of firmwares of embedded devices is a recurring flaw in various embedded systems. A previous vulnerability discovered by Armis in Swisslog PTS systems (PwnedPiper, CVE-2021-37160) was a result of a similar type of flaw.

Armis disclosed these vulnerabilities to Schneider Electric on October 31, 2021. Since then, Armis has worked with Schneider Electric to create and test a patch, which is now generally available.

How can Check Point + Armis help?
https://vimeo.com/660998764

The collaborative efforts and commitment to excellence shared between Check Point and Armis has enabled the two to be among the first security providers to offer complete end-to-end protection for the TLStorm vulnerabilities mentioned above.

1. With Armis’ platform, you can quickly discover all of the Smart-UPS devices that must be patched or protected from exploit attempts. In addition to the detection, Armis can also provide valuable data about the device owner and physical location to remediate security risk quicker.
2. Armis detects the exploit attempts in real-time and feeds the necessary information through to Check Point’s security appliances.
3. Be sure to continue the tracking of ‘risky’ assets (including new assets) to ensure they are not targeted by exploit attempts at any time, thus posing a threat to your network.
4. Leverage Check Point’s automated policies that proactively segment you IoT/OT and IT network.
5. Take advantage of Check Point’s adaptive threat prevention capabilities (built into the gateways via ThreatCloud) and access control to reduce your attack surface.
6. Monitor the devices and the device communication traffic to ensure connected devices are doing only what they are supposed to be doing.

What actions should I take now?

Check Point and Armis are here to help you every step of the way in making sure you are protected against vulnerabilities, like TLStorm, or any vulnerabilities that may arise in the future.

Firstly, Check Point and Armis are pleased to announce to our customers that effective today, the TLStorm IPS protection is available via update through Check Point Security Gateways.

Here are some additional steps to take now to remain protected from TLStorm:

1. Install available patches on the Schneider Electric web page.
2. Always practice safe password protection. Update your passwords by making sure they are not still using default passwords. Install publicly-signed SSL certificates so that an attacker on your network will not be able to intercept the new password. To further limit the attack surface of your NMC, refer to the Schneider Electric Security Handbook for NMC 2and NMC 3.
3. Deploy access control lists (ACLs) in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications. For more information on how this can be accomplished, head to Check Point + Armis’ Partner Page and/or schedule a demo for our integrated IoT security solution.