{}

Our Brands

Search FAQs
APC Security Advisory - Static Factory Password Vulnerability

Problem Summary:

Who should read this? Customers with products that have APC's hardware-based network management cards installed that have not upgraded the firmware on their APC equipment in more than 3 years (as of May 2007). APC products that use these cards to attach to the network via a direct Ethernet or token ring connection, or via a console port server, may be affected (see ""How to Determine if Your Model Is Affected"" for more detail). APC's hardware-based network management cards could be compromised by non-privileged users via Telnet or the local serial port using a static factory password. This vulnerability was reported by a customer. APC is not aware of any malicious use of the vulnerability prior to this disclosure.

Impact:
The exploitation of this issue can result in unauthorized control of these devices.

Mitigating Factors:

  • APC Network Management Cards (models AP9617, AP9618, and AP9619) using AOS v2.0.0 (apc_hw02_aos_200.bin) and later are NOT vulnerable via the network port (Telnet or SSH).
  • Many firewalls typically block Telnet (well-known port 23) limiting the scope of the vulnerability to intranets.
  • Vulnerability via the local serial port requires physical access unless it is connected to a console port server or similar device.
  • Web and SNMP interfaces are not affected.

Recommendations:
Apply the latest firmware revision from APC's web site:

If for some reason the new firmware cannot be applied then:

A. Disable Telnet protocol until the latest firmware can be applied (see appendix A for instructions). If this is not possible then disconnect the product from the network until an upgrade can be applied.

B. If a console port server is connected to a vulnerable product's local serial port then ensure that the console port server forces user authentication prior to allowing login to the product. If this is not possible then disconnect the product from the console port server until a firmware upgrade can be applied.

How To Determine If Your Model Is Affected:
  1. Examine the products listed below. If your UPS or other device has an AP9606, AP9617, AP9618, or AP9619 card installed then APC recommends you upgrade the card's firmware. Note that in some instances a firmware upgrade requires updating two files, the AOS card operating system and the application file for the device the card is installed in.
  2. If you are not sure whether your UPS or device has one of these cards installed, examine the unit's faceplate for the following:
    • AP9606 Web/SNMP Management Card
    • AP9617 Network Management Card EX
    • AP9618 Network Management Card EM/MDM
    • AP9619 Network Management Card EM
    Your device may still contain a network management card, please refer to your user manual for further information.
  3. This advisory does not apply to any products based on Network Management Card-based AOS revision apc_hw02_aos_212a.bin and later.
Recommendations:
Find your product in the tables below and determine if you have an affected revision. If your product is affected then download and apply an updated firmware revision.

You may upgrade to a newer application revision that has been fixed or stay at the same application revision for those that are listed. Only devices with network support are affected.

Updated firmware can be downloaded directly from APC's web site at: <a href=""http://www.apcc.com/tools/download/?CFID=15668590&CFTOKEN=29075461

If for some reason an updated firmware cannot be applied then:

A. Disable Telnet protocol until a patch can be applied (see appendix A for instructions). If this is not possible then disconnect the product from the network until an upgrade can be applied.

B. If a console port server is connected to a vulnerable product's local serial port then ensure that the console port server forces user authentication prior to allowing login to the product. If this is not possible then disconnect the product from the console port server until a firmware upgrade can be applied.
NMC-enabledAffectedFixed In
Product DescriptionAOS RevAPP RevAOS RevAPP Rev
Smart-UPSaos 105sumx 105aos 107bsumx 105
115115118c115
125120126b120
125125126b125
211210212a210
Symmetra, Symmetra RMaos 105sy 105aos 107bsy 105
115116118c116
120120126b120
211210212a210
Symmetra PXaos 105sy3p 105aos 107bsy3p 105
115115118c115
211210212a210
Silconaos 105dp3e 105aos 107bdp3e 105
115116118c116
Automatic Transfer Switchaos 105ats 106aos 107bats 106
DC Systems Products (MX28B)aos 106mx28 110aos 107bmx28 110
Switched Rack PDUaos 116rpdu 102aos 118crpdu 102
MasterSwitch Plusaos 116msp 100aos 118cmsp 100

Note: The AOS and APP firmware revisions listed in this table are shorthand for the full filename found from the download page. The full filenames will be apc_hw02_AOS_REV.bin and apc_hw02_APP_REV.bin.

Zipped versions of both AOS and APP revsions are available for all combinations. The full filenames for the zipped versions will be apc_hw02_AOSREV_APPREV.exe.

If your firmware revision is not listed, please upgrade to the latest fixed revision.
AP9606-enabledAffectedFixed In
Product DescriptionAOS RevAPP RevAOS RevAPP Rev
Smart-UPSall earlier revsaos 326bsumx 326a
Symmetraall earlier revsaos 326bsy 326a
Silconall earlier revsaos 326bdp3e 326a
DC Systems Products (MX28B)all earlier revsaos 306bdm3k 105a
Environmental Monitoring Unitall earlier revsaos 326bem 205a
MasterSwitch (all)all earlier revsaos 309ams 225a
MasterSwitch Plusall earlier revsaos 258bmsp 205a
MasterSwitch VMall earlier revsaos 258bmsvm 115a

Note: The AOS and APP firmware revisions listed in this table are shorthand for the full filename found from the download page. The full filenames will be AOSREV.bin and APPREV.bin.

If your firmware revision is not listed, please upgrade to the latest fixed revision.

Firmware upgrades are not and will not be provided for these products:
  • SmartSlot SNMP Management Adapter (AP9605)
  • External SNMP Management Adapter(AP9205)
  • Token Ring Management Card (AP9603)
APC recommends that you disable any Telnet interface if present or remove the network connection from the card.

All other APC product families are unaffected.

Pictures of the Management Card Faceplates:

If you are not sure whether your UPS or device has one of these cards installed, examine the unit and look for the following faceplates and model numbers [Model number is circled]:


Exploitation and Public Announcements:
APC is not aware of any malicious use of the vulnerability described in this advisory. The vulnerability described in this advisory was originally found by Dave Tarbatt.

Status of this notice: INTERIM

THIS IS AN INTERIM ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.

IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.

Distribution:
This advisory will be posted on APC's worldwide website at:
https://www.apc.com/go/direct/index.cfm?tag=sa2988

Future updates of this advisory, if any, will be place on APC's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.

Revisions:
Revision 1.0
2003-February-18
Initial Public Release

References:
http://www.oit.duke.edu/security/encryption/

Copyright:
This notice is Copyright 2004 by APC. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.

APC Belgium

Articles which might be helpful Users group

Discuss this topic with experts

Visit our Community for first-hand insights from experts and peers on this topic and more.