SoylentNews is people
SoylentNews
APC UPS zero-day bugs can remotely burn out devices, disable power:
A set of three critical zero-day vulnerabilities now tracked as TLStorm could let hackers take control of uninterruptible power supply (UPS) devices from APC, a subsidiary of Schneider Electric.
[...] Two of the vulnerabilities, CVE-2022-22805 and CVE-2022-22806 are in the implementation of the TLS (Transport Layer Security) protocol that connects the Smart-UPS devices with the "SmartConnect" feature to the Schneider Electric management cloud.
The third one, identified as CVE-2022-0715, relates to the firmware of "almost all APC Smart-UPS devices," which is not cryptographically signed and its authenticity cannot be verified when installed on the system.
While the firmware is encrypted (symmetric), it lacks a cryptographic signature, allowing threat actors to create a malicious version of it and deliver it as an update to target UPS devices to achieve remote code execution (RCE).
Armis researchers were able to exploit the flaw and build a malicious APC firmware version that was accepted by Smart-UPS devices as an official update, a process that is performed differently depending on the target [...]
[...] The researchers' report explains the technical aspects for all three TLStorm vulnerabilities and provides a set of recommendations to secure UPS devices:
- Install the patches available on the Schneider Electric website
- If you are using the NMC, change the default NMC password ("apc") and install a publicly-signed SSL certificate so that an attacker on your network will not be able to intercept the new password. To further limit the attack surface of your NMC, refer to the Schneider Electric Security Handbook for NMC 2 and NMC 3.
- Deploy access control lists (ACLs) in which the UPS devices are only allowed to communicate with a small set of management devices and the Schneider Electric Cloud via encrypted communications.
Armis has also published technical white paper with all the details of the research.
(Score: 4, Insightful) by Rosco P. Coltrane on Wednesday March 16 2022, @12:33AM (5 children)
UPSes don't need to be in the cloud. They need to send a text to your cellphone, or an email to a mail server. Or, if you want remote management, they need to have their own web server that stays behind the DMZ, and you as an administrator need to manage your VPN properly if you want to access it from the outside.
Don't connect your UPS to the cloud.
Don't connect stuff that doesn't need to be on the cloud to the cloud.
That is all.
(Score: 1, Informative) by Anonymous Coward on Wednesday March 16 2022, @01:19AM
Yup. Also, don't connect anything to your internal network that will connect to the outside world and can't be properly audited. Invitation for an attacker to use a poorly maintained IoT gadget as a beach head behind your firewall.
And once again, "The Cloud" is just somebody else's computers, People you have no reason to trust, either that they aren't themselves a hostile actor, but also that they can properly defend their own network. Even if these UPS boxes were themselves, initially, "secure" you have no assurance that the cloud won't get 03ned and used to load infected firmware in the devices you have stupidly placed all over the inside of your network. Be realistic, are you really going to build an entirely isolated VLAN for all the UPS boxes and other cruft like "smart" lights, Alexa, etc? You might want to but eventually management will balk at the expense and labor.
(Score: 0) by Anonymous Coward on Wednesday March 16 2022, @04:16AM (2 children)
Of course it needs to be on the could! How else would the vendor lock-in work? /s
Your vision for UPSes is a bit fancy. Most UPSes on the market implement SNMP or another network protocol already. Personally, I don't want my UPS to run any sort of complex server, especially an HTTPS server that is almost guaranteed to be full of holes. If you want remote management, don't expose your UPS. You'd be better off to expose an interface on your trap/manager that shows the recorded events.
(Score: 2) by DannyB on Wednesday March 16 2022, @04:04PM (1 child)
The server in a UPS should be so simple that it is obvious by inspection that it isn't full of holes and bugs.
I therefore nominate: Telnet
Young people won't believe you if you say you used to get Netflix by US Postal Mail.
(Score: 0) by Anonymous Coward on Friday March 18 2022, @12:55AM
Interactive free-form command parsing? No thanks, too complicated.
(Score: 2) by maxwell demon on Wednesday March 16 2022, @05:54PM
But if you don't connect your UPS to the cloud, how do you get all the great features from cloud-cuckoo-land?
The Tao of math: The numbers you can count are not the real numbers.