Time To Give That SmartUPS A Lobotomy
Congratulations on making it to Thursday, your reward is apparently three critical vulnerabilities which make 10 Smart-UPS models a possible infiltration point into your network. Two of the three vulnerabilities involve how the UPS handle TLS, with both an buffer overflow and an authentication bypass revealed; the former allowing the execution of code and the latter setting you up for the third vulnerability.
The third one allows an authenticated user to remotely install any firmware they feel like, as the APC UPS doesn’t check to see if the file is signed, or even compatible. All three vulnerabilities can be exploited over your network, no physical access required. Schneider Electronics lists the affected models and how to track down patches here (warning: this link downloads a zip file containing two PDFs). That seems to be the best way forward as there does not seem to be a way to disable SmartConnect’s predilection to automatically establish a TLS connection to Schneider’s cloud when it first starts up if the cloud connection is temporarily lost.
The vulnerabilities, dubbed TLStorm, were found in Schneider Electric's APC Smart-UPS products by security firm Armis, which made the info public on Tuesday.