Authentication Failure Issue; UPS Network Management Card (NMC) Based Products
Mr. Todd Bertolozzi, CCNA and Mr. Christopher Walter, CISA, GCIH, notified APC of a high risk security vulnerability that affects APC UPS Network Management Card (NMC) based devices. Following is a description of this issue and actions underway by APC to mitigate and correct the issue. This report is a result of an effort by a security analyst to determine vulnerabilities with APC products.
As reported, the UPS NMC is vulnerable to a web user interface authentication failure attack.
- Network Management Card 1 (NMC1) - AP9617, AP9618, AP9619
Devices with an embedded Network Management Card 1 include (but are not limited to): Metered/Switched Rack PDUs (AP78XX, AP79XX), Rack Automatic Transfer Switches (AP77XX, Environmental Monitoring Units (AP9320, AP9340, Netbotz 200)
- Network Management Card 2 (NMC2) - AP9630/AP9630CH, AP9631/AP9631CH, AP9635/AP9635CH
Devices with an embedded Network Management Card 2 include (but are not limited to): 2G Metered/Switched Rack PDUs (AP86XX, AP88XX, AP89XX), Certain Audio/Video Network Management Enabled products.
- AP9630/31 NMC2 based devices running the following applications:
- Smart-UPS v5.1.0 (SFSUMX510)
- Symmetra v5.1.0 (SFSY510)
- Symmetra 3 Phase v5.1.0 (SFSY3P510)
- AP9617/18/19 NMC1 based devices running the following applications:
- Smart-UPS v3.7.1 (SFSUMX371)
- Symmetra v3.7.1 (SFSY371)
- xPDU v3.7.1 (SFXPDU371)
- Symmetra 3 Phase v3.7.1 (SFSY3371)
- Silcon v3.7.1 (SFDPE3E371)
During the investigation of the reported matter, the reported and actual issue was found to be identical. While the reported issue was specific to the Smart-UPS device, this issue exists across recently released versions of UPS NMC based applications.
APC has released a firmware revision to address this issue, available for immediate download here
If you choose not to utilize the above solution, the following mitigation strategies can be employed to reduce or eliminate the potential for this issue to manifest.
- As this authentication failure bases itself in use of a URL in web applications, disabling the web interface on the UPS NMC will eliminate the possibility of such vulnerability from occurring. Other interface methods such as Telnet, SNMP, and serial connections are unaffected by this issue. Note the web interface can be disabled via the config.ini or via any other interface. See the UPS NMC documentation for detailed instructions.
- Placement of the UPS NMC on a private or secure network (e.g. behind a firewall) will prevent external unauthorized users from a accessing the UPS NMC.
- Changing the default ports used by the UPS NMC for transacting web based information (e.g. port 80 for HTTP, and port 443 for HTTPS) to a non-standard port will mask the issue.
- APC recommends implementing industry standards including administrator access to computers and the operation of security scanners.
As APC is concerned about any potential vulnerability no matter how narrow, we are undertaking the following steps to contain and correct this issue:
APC has removed the effected firmware versions from the appropriate download locations.
APC has made a complete report of this finding to the individual responsible for finding the vulnerability.
APC has implemented a firmware fix for the detailed issue for each relevant application. They are readily available to the general public via our web site (www.apc.com
APC will send out an email notification to those customers who have signed up to receive APC's Software & Firmware release update newsletters.