Cross Site Scripting & Forgery Issue (XSS/CSRF) in NMC-Based Products
Mr. Russ McRee of HolisticInfoSec.org notified APC of a low risk security vulnerability that affects APC Network Management Card (NMC) based devices. Following is a description of this issue and actions underway by APC to mitigate and correct the issue. This report is a result of an engineered effort by a security analyst to determine vulnerabilities with APC products and a single field report of the same.
Issue as reported:
As reported, the NMC is vulnerable to Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks. As such,authentication credentials for the NMC device can be created and transmitted to a NMC device by an unauthorized 3rd party, or a malicious internal user, in the context of an authenticated user's browser session,:
(1) Is allowed to execute a malicious script onto a computer by deceiving (social engineering) an operator of such a computer;
(2) Which is not located on a private network, or network secured in any way (e.g. behind a firewall);
(3) By an authorized user of that computer to operate programs on it such as Internet Explorer, or Firefox;
(4) Who has the proper credentials for installing and executing such programs on the computer itself;
(5) Who has proper credentials to access the NMC device as an "administrator" or "device" user;
(6) Who then executes and injects, or, executes or injects such a malicious script;
(7) While a session of the NMC is open and active.
If all of these steps are followed, and the target NMC is on an open network (i.e. not secured on a private network, or behind any type of firewall), a 3rd party user or malicious internal user will then have the ability to contact the target NMC device, forge credentials to the device and access the device as an authorized user.
During the investigation of the reported matter, the reported and actual issue was found to be identical. While the reported issue was specific to the Rack Mount Power Distribution device, this issue exists across the family of NMC based products.
Although very narrow in scope, the following mitigation strategies can be employed to reduce or eliminate the potential for this issue to manifest.
• As XSS vulnerabilities base themselves in web applications, disabling the web interface on the NMC will eliminate the possibility of such vulnerability from occurring. Other interface methods such as Telnet, CLI, SNMP, and serial connections are unaffected by this issue. Note the web interface can be disabled via the config.ini or via any other interface on the NMC itself.
• Placement of NMC devices on a private or secure network (e.g. behind a firewall) will eliminate the vulnerability of the NMC devices as the unauthorized 3rd party user will not have access through a firewall to reach the target NMC device.
• For those who choose to accept the risk of not disabling the web interface, as this vulnerability requires access to the network the devices are connected to, good physical and network security to restrict access to the network itself will significantly limit any opportunity to attempt this narrow vulnerability. Additionally, use of industry standard security practices such as administrator access to computers and operations of security scanners, firewalls and other accepted, commercially available solutions for computer security will further mitigate the issue.
As APC is concerned about any potential vulnerability no matter how narrow, we are undertaking the following steps to contain and correct this issue.
• APC has made a complete report of this finding to Mr. McRee who was responsible for finding the vulnerability.
• An update (AOS v3.7.3, AOS 5.1.1 or higher) is available for each relevant product and application, available to the general public via our web site (www.apc.com).