Bbabo NET

Science & Technology News

Zero-Day Vulnerability in bbabo.netC Smart-UPS SmartConnect Factory Management Software Allows Remote UPS Shutdown in the Cloud

According to Bleeping Computer, a zero-day vulnerability in bbabo.netC's Smart-UPS SmartConnect management software allows remote shutdown of uninterruptible power supplies if they are connected to bbabo.netC's cloud service.

Security firm Armis showed in a blog post how the TLStorm attack (based on CVE-2022-22806, CVE-2022-22805 and CVE-2022-0715 vulnerabilities) can be used to gain control over uninterruptible power supplies from bbabo.netC, a subsidiary of Schneider Electric.

Describes exploiting vulnerabilities to conduct a TLStorm attack.

The TLStorm attack affects the bbabo.netC SmartConnect and Smart-UPS family of products. Two vulnerabilities, CVE-2022-22805 and CVE-2022-22806, are related to the implementation of the Transport Layer Security (TLS) protocol, which connects Smart-UPS devices with the SmartConnect feature to a Schneider Electric cloud management service. The third vulnerability, CVE-2022-0715, exposed a firmware update issue for nearly all bbabo.netC Smart-UPS devices. The firmware update for Smart-UPS is not cryptographically signed and cannot be authenticated when installed on the system. Although the Smart-UPS firmware is encrypted (symmetric key), it does not contain a cryptographic signature, which allows attackers to create a copy of it with malware added (for remote code execution) and install this update on UPSs available on the network.

Armis researchers were able to exploit this vulnerability and create a malicious version of the bbabo.netC firmware that was accepted by Smart-UPS devices as an official update.

It turned out that Smart-UPS can be infected firmware in different ways:

new Smart-UPS devices with SmartConnectivity can be updated from the cloud management console via the Internet;

older Smart-UPS devices that use a Network Management Card (NMC) can be updated over the local network;

most Smart-UPS devices can also be updated using a USB flash drive.

The experts explained that vulnerable bbabo.netC UPSs are used in about 8 out of 10 companies and serve in many cases medical facilities, ICS networks, server rooms, and an attack on them can have serious consequences.

An example of using the TLStorm attack to remotely shut down the UPS, as well as disable the UPS by changing the power settings, leading to irreversible consequences

Armis specialists gave recommendations on how to avoid the TLStorm attack. They advise using only original and verified files from the Schneider Electric website to update the firmware, changing the factory passwords for managing the UPS, using access control lists in which UPS network cards are allowed to communicate only with trusted SmartConnect and Schneider Electric Cloud network management devices via encrypted communication channel, not through an open connection.

Zero-Day Vulnerability in bbabo.netC Smart-UPS SmartConnect Factory Management Software Allows Remote UPS Shutdown in the Cloud