Who should read this? Customers with products that have APC's hardware-based network management cards installed that have not upgraded the firmware on their APC equipment in more than 3 years (as of May 2007). APC products that use these cards to attach to the network via a direct Ethernet or token ring connection, or via a console port server, may be affected (see ""How to Determine if Your Model Is Affected"" for more detail). APC's hardware-based network management cards could be compromised by non-privileged users via Telnet or the local serial port using a static factory password. This vulnerability was reported by a customer. APC is not aware of any malicious use of the vulnerability prior to this disclosure.
Impact:
The exploitation of this issue can result in unauthorized control of these devices.
Mitigating Factors:
APC Network Management Cards (models AP9617, AP9618, and AP9619) using AOS v2.0.0 (apc_hw02_aos_200.bin) and later are NOT vulnerable via the network port (Telnet or SSH).
Many firewalls typically block Telnet (well-known port 23) limiting the scope of the vulnerability to intranets.
Vulnerability via the local serial port requires physical access unless it is connected to a console port server or similar device.
Web and SNMP interfaces are not affected.
Recommendations:
Apply the latest firmware revision from APC's web site:
If for some reason the new firmware cannot be applied then:
A. Disable Telnet protocol until the latest firmware can be applied (see appendix A for instructions). If this is not possible then disconnect the product from the network until an upgrade can be applied.
B. If a console port server is connected to a vulnerable product's local serial port then ensure that the console port server forces user authentication prior to allowing login to the product. If this is not possible then disconnect the product from the console port server until a firmware upgrade can be applied.
How To Determine If Your Model Is Affected:
Examine the products listed below. If your UPS or other device has an AP9606, AP9617, AP9618, or AP9619 card installed then APC recommends you upgrade the card's firmware. Note that in some instances a firmware upgrade requires updating two files, the AOS card operating system and the application file for the device the card is installed in.
If you are not sure whether your UPS or device has one of these cards installed, examine the unit's faceplate for the following:
AP9606 Web/SNMP Management Card
AP9617 Network Management Card EX
AP9618 Network Management Card EM/MDM
AP9619 Network Management Card EM
Your device may still contain a network management card, please refer to your user manual for further information.
This advisory does not apply to any products based on Network Management Card-based AOS revision apc_hw02_aos_212a.bin and later.
Recommendations:
Find your product in the tables below and determine if you have an affected revision. If your product is affected then download and apply an updated firmware revision.
You may upgrade to a newer application revision that has been fixed or stay at the same application revision for those that are listed. Only devices with network support are affected.
Updated firmware can be downloaded directly from APC's web site at: <a href=""http://www.apcc.com/tools/download/?CFID=15668590&CFTOKEN=29075461
If for some reason an updated firmware cannot be applied then:
A. Disable Telnet protocol until a patch can be applied (see appendix A for instructions). If this is not possible then disconnect the product from the network until an upgrade can be applied.
B. If a console port server is connected to a vulnerable product's local serial port then ensure that the console port server forces user authentication prior to allowing login to the product. If this is not possible then disconnect the product from the console port server until a firmware upgrade can be applied.
NMC-enabled
Affected
Fixed In
Product Description
AOS Rev
APP Rev
AOS Rev
APP Rev
Smart-UPS
aos 105
sumx 105
aos 107b
sumx 105
115
115
118c
115
125
120
126b
120
125
125
126b
125
211
210
212a
210
Symmetra, Symmetra RM
aos 105
sy 105
aos 107b
sy 105
115
116
118c
116
120
120
126b
120
211
210
212a
210
Symmetra PX
aos 105
sy3p 105
aos 107b
sy3p 105
115
115
118c
115
211
210
212a
210
Silcon
aos 105
dp3e 105
aos 107b
dp3e 105
115
116
118c
116
Automatic Transfer Switch
aos 105
ats 106
aos 107b
ats 106
DC Systems Products (MX28B)
aos 106
mx28 110
aos 107b
mx28 110
Switched Rack PDU
aos 116
rpdu 102
aos 118c
rpdu 102
MasterSwitch Plus
aos 116
msp 100
aos 118c
msp 100
Note: The AOS and APP firmware revisions listed in this table are shorthand for the full filename found from the download page. The full filenames will be apc_hw02_AOS_REV.bin and apc_hw02_APP_REV.bin.
Zipped versions of both AOS and APP revsions are available for all combinations. The full filenames for the zipped versions will be apc_hw02_AOSREV_APPREV.exe.
If your firmware revision is not listed, please upgrade to the latest fixed revision.
AP9606-enabled
Affected
Fixed In
Product Description
AOS Rev
APP Rev
AOS Rev
APP Rev
Smart-UPS
all earlier revs
aos 326b
sumx 326a
Symmetra
all earlier revs
aos 326b
sy 326a
Silcon
all earlier revs
aos 326b
dp3e 326a
DC Systems Products (MX28B)
all earlier revs
aos 306b
dm3k 105a
Environmental Monitoring Unit
all earlier revs
aos 326b
em 205a
MasterSwitch (all)
all earlier revs
aos 309a
ms 225a
MasterSwitch Plus
all earlier revs
aos 258b
msp 205a
MasterSwitch VM
all earlier revs
aos 258b
msvm 115a
Note: The AOS and APP firmware revisions listed in this table are shorthand for the full filename found from the download page. The full filenames will be AOSREV.bin and APPREV.bin.
If your firmware revision is not listed, please upgrade to the latest fixed revision.
Firmware upgrades are not and will not be provided for these products:
SmartSlot SNMP Management Adapter (AP9605)
External SNMP Management Adapter(AP9205)
Token Ring Management Card (AP9603)
APC recommends that you disable any Telnet interface if present or remove the network connection from the card.
All other APC product families are unaffected.
Pictures of the Management Card Faceplates:
If you are not sure whether your UPS or device has one of these cards installed, examine the unit and look for the following faceplates and model numbers [Model number is circled]:
Exploitation and Public Announcements:
APC is not aware of any malicious use of the vulnerability described in this advisory. The vulnerability described in this advisory was originally found by Dave Tarbatt.
Status of this notice: INTERIM
THIS IS AN INTERIM ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.
IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
Distribution:
This advisory will be posted on APC's worldwide website at:
https://www.apc.com/go/direct/index.cfm?tag=sa2988
Future updates of this advisory, if any, will be place on APC's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revisions:
Revision 1.0
2003-February-18
Initial Public Release
Copyright:
This notice is Copyright 2004 by APC. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.
Can't find what you are looking for?
Reach out to our customer care team to receive information on technical support, assistance for complaints and more.