Californian security firm Armis has discovered three zero-day vulnerabilities in uninterruptible power supply devices that can allow attackers to gain remote access.

If exploited, these vulnerabilities, collectively known as TLStorm, allow threat actors to disable, disrupt and destroy APC Smart-UPS devices and attached assets.

Uninterruptible power supply (UPS) devices provide emergency backup power for mission-critical assets in data centres, industrial facilities, hospitals and more. APC is a subsidiary of Schneider Electric and is a vendor of UPS devices, with more than 20 million devices sold worldwide.

“Until recently, assets, such as UPS devices, were not perceived as security liabilities,” said Barak Hadad, head of research at Armis. “However, it has become clear that security mechanisms in remotely managed devices have not been properly implemented, meaning that malicious actors will be able to use those vulnerable assets as an attack vector. It is vital that security professionals have complete visibility of all assets, along with the ability to monitor their behaviour, to identify exploitation attempts of vulnerabilities such as TLStorm.”

Armis researches and analyses various assets to help security experts protect their organisations from threats. For this research, Armis investigated APC Smart-UPS devices and their remote management and monitoring services due to the widespread use of APC UPS devices. The latest models use a cloud connection for remote management. Armis researchers found an attacker exploiting the TLStorm vulnerabilities could remotely take over devices via the internet without any user interaction or signs of attack.

The discovered vulnerabilities include two critical vulnerabilities in the TLS implementation used by cloud-connected Smart-UPS devices and a third high-severity vulnerability, a design flaw, in which firmware upgrades of most Smart-UPS devices are not correctly signed or validated.

Two of the vulnerabilities involve the TLS connection between the UPS and the Schneider Electric cloud. Devices that support the SmartConnect feature automatically establish a TLS connection upon start up or whenever cloud connections are temporarily lost. Attackers can trigger the vulnerabilities via unauthenticated network packets without any user interaction.

The third vulnerability is a design flaw in which the firmware updates on affected devices are not cryptographically signed in a secure manner. As a result, an attacker could craft malicious firmware and install it using various paths, including the internet, LAN or a USB thumb drive. This modified firmware could allow attackers to establish long-lasting persistence on such UPS devices that can be used as a stronghold within the network to launch additional attacks.

Abusing flaws in firmware upgrade mechanisms is becoming a standard practice of APTs, as has been recently detailed in the analysis of the Cyclops Blink malware, and improper signing of firmware is a recurring flaw in various embedded systems.

“TLStorm vulnerabilities occur in cyber-physical systems that bridge our digital and physical worlds, giving cyber attacks the possibility of real-world consequences,” said Yevgeny Dibrov, CEO of Armis. “The Armis platform addresses this hyper-connected reality, where one compromised identity and device can open the door to cyber attacks, and the security of every asset has become foundational to protect business continuity and brand reputation.”

Schneider Electric worked in collaboration with Armis on this matter, and users were notified and issued patches to address the vulnerabilities. To the best of both companies’ knowledge, there is no indication the TLStorm vulnerabilities have been exploited.

Organisations deploying APC Smart-UPS devices should patch impacted devices immediately.

Armis is a privately held company headquartered in Palo Alto, California.