{"id":45629,"date":"2022-03-09T04:36:00","date_gmt":"2022-03-09T04:36:00","guid":{"rendered":"http:\/\/169cb74f-f975-4bb6-b872-28efe8053bed"},"modified":"2022-03-09T04:36:00","modified_gmt":"2022-03-09T04:36:00","slug":"ups-flaws-allow-for-remote-code-execution-and-remote-fire-based-interruptions","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/ups-flaws-allow-for-remote-code-execution-and-remote-fire-based-interruptions\/","title":{"rendered":"UPS flaws allow for remote code execution and remote fire-based interruptions"},"content":{"rendered":"
\"apc-ups-tlstorm.png\"<\/span>
<\/span> Image: Armis <\/span><\/figcaption><\/figure>\n

Security researchers at Armis have detailed<\/a> a trio of vulnerabilities in so-called Smart-UPS devices sold by Schneider Electric subsidiary APC that allow for unnoticeable remote code execution, replacing of firmware, and potentially burning out the entire unit. <\/p>\n

Naturally in 2022, the flaws in the system stem from a combination of bad TLS implementation and being able to be controlled through a cloud-based system in newer devices. <\/p>\n

“Since the TLS attack vector can originate from the internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall,” Armis said. <\/p>\n

“They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.” <\/p>\n

If a TLS connection has an error, rather than closing the connection as recommended by Mocana nanoSSL library writers, APC ignores some of the errors, which leaves the connection open and the library in a state it is not built to handle. <\/p>\n

“Ignoring the nanoSSL library errors causes the UPS to cache the TLS key in its uninitialized state,” Arris said. <\/p>\n

“When an attacker uses the TLS resumption functionality, the uninitialized key (all zero) is fetched from the cache and the attacker can communicate with the device as if it was a genuine Schneider Electric server. As a seemingly verified server, the attacker can issue a firmware upgrade command and remotely execute code over the UPS device.” <\/p>\n

Additionally, all Smart-UPS devices use the same symmetric key for encryption and decryption, and it can be extracted from the devices. As a bonus, the devices do not check if any firmware is signed, allowing attackers to remain persistently on the device. <\/p>\n

\"armis-apc-ups-fire.png\"<\/span>