Black Arrow Cyber Alert 25 April 2023 - ACTION REQUIRED: APC Warns of Critical Flaws in UPS Monitoring Software
Executive summary
Several critical vulnerabilities in APC’s Easy UPS (Uninterruptible Power Supply) Online Monitoring Software allow an unauthenticated attacker to execute remote code and change administrator credentials. A UPS is an electrical apparatus that provides power when the input power source or mains power fails; they are used to improve redundancy. Earlier this month, Schneider Electric, who own APC, released a security notification which has recently been updated again.
Technical Summary
The vulnerabilities are:
CVE-2023-29411 - A critical vulnerability, which if exploited, allows an attacker to change administrator credentials.
CVE-2023-29412 - A critical vulnerability, which if exploited, could allow remote code execution.
CVE-2023-29413 - A vulnerability which could cause a Denial-of-Service on the Schneider UPS Monitor Service.
What’s the risk to me or my business?
The vulnerabilities, if exploited, allow an attacker to change administrator credentials, execute remote code and cause a denial of service – all of which impact the confidentiality, integrity and availability of data, and could compromise the ability for the devices to provide redundant power, or allow the attacker to switch off the device entirely.
The affected products and versions are:
APC Easy UPS Online Monitoring Software, versions: V2.5-GA-01-22320 and earlier (Windows 10, 11 Windows Server 2016, 2019, 2022).
Schneider Electric Easy UPS Online Monitoring Software: V2.5-GS-01-22320 and earlier (Windows 10, 11 Windows Server 2016, 2019, 2022).
What can I do?
It is recommended that patches are applied immediately for the impacted products. Patches are available in version V2.5-GA-01-23036 for APC Easy UPS Online Monitoring Software and n V2.5-GS-01-23036 for Schneider Electric Easy UPS Online Monitoring Software where the products are running on Windows 10. It is also recommended by the vendor that users to transition to PowerChute Serial Shutdown (PCSS) for the purposes of serial shutdown and monitoring.
Users of APC Easy UPS Online Monitoring Software using Windows version 11 and Windows server 2016, 2019 or 2022 have been given the following mitigation as a remediating patch is not currently available and is being worked on: “Customers with direct access to their Easy UPS units should upgrade to PowerChute Serial Shutdown (PCSS) software on all servers protected by your Easy UPS On-Line (SRV, SRVL models). PCSS provides serial shutdown and monitoring”. Please note, mitigations are not a long-term fixes, patches should be applied as soon as they become available. This advisory will be updated when Schneider Electric has released a patch for the remaining affected operating systems.
Further information on the vulnerabilities, patches and affected software versions can be found here: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-101-04&p_enDocType=Security%20and%20Safety%20Notice&p_File_Name=SEVD-2023-101-04.pdf
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity