Problem Summary:
Who should read this? Customers with products that have APC's hardware-based network management cards installed that have not upgraded the firmware on their APC equipment in more than 3 years (as of May 2007). APC products that use these cards to attach to the network via a direct Ethernet or token ring connection, or via a console port server, may be affected (see ""How to Determine if Your Model Is Affected"" for more detail). APC's hardware-based network management cards could be compromised by non-privileged users via Telnet or the local serial port using a static factory password. This vulnerability was reported by a customer. APC is not aware of any malicious use of the vulnerability prior to this disclosure.
Impact:
The exploitation of this issue can result in unauthorized control of these devices.
Mitigating Factors:
- APC Network Management Cards (models AP9617, AP9618, and AP9619) using AOS v2.0.0 (apc_hw02_aos_200.bin) and later are NOT vulnerable via the network port (Telnet or SSH).
- Many firewalls typically block Telnet (well-known port 23) limiting the scope of the vulnerability to intranets.
- Vulnerability via the local serial port requires physical access unless it is connected to a console port server or similar device.
- Web and SNMP interfaces are not affected.
Recommendations:
Apply the latest firmware revision from APC's web site:
If for some reason the new firmware cannot be applied then:
A. Disable Telnet protocol until the latest firmware can be applied (see appendix A for instructions). If this is not possible then disconnect the product from the network until an upgrade can be applied.
B. If a console port server is connected to a vulnerable product's local serial port then ensure that the console port server forces user authentication prior to allowing login to the product. If this is not possible then disconnect the product from the console port server until a firmware upgrade can be applied.
How To Determine If Your Model Is Affected:
- Examine the products listed below. If your UPS or other device has an AP9606, AP9617, AP9618, or AP9619 card installed then APC recommends you upgrade the card's firmware. Note that in some instances a firmware upgrade requires updating two files, the AOS card operating system and the application file for the device the card is installed in.
- If you are not sure whether your UPS or device has one of these cards installed, examine the unit's faceplate for the following:
- AP9606 Web/SNMP Management Card
- AP9617 Network Management Card EX
- AP9618 Network Management Card EM/MDM
- AP9619 Network Management Card EM
- This advisory does not apply to any products based on Network Management Card-based AOS revision apc_hw02_aos_212a.bin and later.
Find your product in the tables below and determine if you have an affected revision. If your product is affected then download and apply an updated firmware revision.
You may upgrade to a newer application revision that has been fixed or stay at the same application revision for those that are listed. Only devices with network support are affected.
Updated firmware can be downloaded directly from APC's web site at: <a href=""http://www.apcc.com/tools/download/?CFID=15668590&CFTOKEN=29075461
If for some reason an updated firmware cannot be applied then:
A. Disable Telnet protocol until a patch can be applied (see appendix A for instructions). If this is not possible then disconnect the product from the network until an upgrade can be applied.
B. If a console port server is connected to a vulnerable product's local serial port then ensure that the console port server forces user authentication prior to allowing login to the product. If this is not possible then disconnect the product from the console port server until a firmware upgrade can be applied.
NMC-enabled | Affected | Fixed In | ||
Product Description | AOS Rev | APP Rev | AOS Rev | APP Rev |
Smart-UPS | aos 105 | sumx 105 | aos 107b | sumx 105 |
115 | 115 | 118c | 115 | |
125 | 120 | 126b | 120 | |
125 | 125 | 126b | 125 | |
211 | 210 | 212a | 210 | |
Symmetra, Symmetra RM | aos 105 | sy 105 | aos 107b | sy 105 |
115 | 116 | 118c | 116 | |
120 | 120 | 126b | 120 | |
211 | 210 | 212a | 210 | |
Symmetra PX | aos 105 | sy3p 105 | aos 107b | sy3p 105 |
115 | 115 | 118c | 115 | |
211 | 210 | 212a | 210 | |
Silcon | aos 105 | dp3e 105 | aos 107b | dp3e 105 |
115 | 116 | 118c | 116 | |
Automatic Transfer Switch | aos 105 | ats 106 | aos 107b | ats 106 |
DC Systems Products (MX28B) | aos 106 | mx28 110 | aos 107b | mx28 110 |
Switched Rack PDU | aos 116 | rpdu 102 | aos 118c | rpdu 102 |
MasterSwitch Plus | aos 116 | msp 100 | aos 118c | msp 100 |
Note: The AOS and APP firmware revisions listed in this table are shorthand for the full filename found from the download page. The full filenames will be apc_hw02_AOS_REV.bin and apc_hw02_APP_REV.bin.
Zipped versions of both AOS and APP revsions are available for all combinations. The full filenames for the zipped versions will be apc_hw02_AOSREV_APPREV.exe.
If your firmware revision is not listed, please upgrade to the latest fixed revision.
AP9606-enabled | Affected | Fixed In | ||
Product Description | AOS Rev | APP Rev | AOS Rev | APP Rev |
Smart-UPS | all earlier revs | aos 326b | sumx 326a | |
Symmetra | all earlier revs | aos 326b | sy 326a | |
Silcon | all earlier revs | aos 326b | dp3e 326a | |
DC Systems Products (MX28B) | all earlier revs | aos 306b | dm3k 105a | |
Environmental Monitoring Unit | all earlier revs | aos 326b | em 205a | |
MasterSwitch (all) | all earlier revs | aos 309a | ms 225a | |
MasterSwitch Plus | all earlier revs | aos 258b | msp 205a | |
MasterSwitch VM | all earlier revs | aos 258b | msvm 115a |
Note: The AOS and APP firmware revisions listed in this table are shorthand for the full filename found from the download page. The full filenames will be AOSREV.bin and APPREV.bin.
If your firmware revision is not listed, please upgrade to the latest fixed revision.
Firmware upgrades are not and will not be provided for these products:
- SmartSlot SNMP Management Adapter (AP9605)
- External SNMP Management Adapter(AP9205)
- Token Ring Management Card (AP9603)
All other APC product families are unaffected.
Pictures of the Management Card Faceplates:
If you are not sure whether your UPS or device has one of these cards installed, examine the unit and look for the following faceplates and model numbers [Model number is circled]:
Exploitation and Public Announcements:
APC is not aware of any malicious use of the vulnerability described in this advisory. The vulnerability described in this advisory was originally found by Dave Tarbatt.
Status of this notice: INTERIM
THIS IS AN INTERIM ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.
IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
Distribution:
This advisory will be posted on APC's worldwide website at:
http://www.apc.com/go/direct/index.cfm?tag=sa2988
Future updates of this advisory, if any, will be place on APC's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revisions:
Revision 1.0
2003-February-18
Initial Public Release
References:
http://www.oit.duke.edu/security/encryption/
Copyright:
This notice is Copyright 2004 by APC. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.