APC Warns of Critical Unauthenticated RCE Flaws in UPS Software

Summary:
“APC's Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether. Uninterruptible Power Supply (UPS) devices are vital in safeguarding data centers, server farms, and smaller network infrastructures by ensuring seamless operation amidst power fluctuations or outages. APC (by Schneider Electric) is one of the most popular UPS brands. Its products are widely deployed on both the consumer and corporate markets, including governmental, healthcare, industrial, IT, and retail infrastructure” (Bleeping Computer, 2023).

Earlier this month, the vendor published a security notification to warn about the following three flaws impacting its products:

  • CVE-2023-29411: Missing authentication for critical function allowing an attacker to change admin credentials and execute arbitrary code on the Java RMI interface. (CVSS v3.1 score: 9.8, “critical”)
  • CVE-2023-29412: Improper handling of case sensitivity allowing an attacker to run arbitrary code when manipulating internal methods through the Java RMI interface. (CVSS v3.1 score: 9.8, “critical”)
  • CVE-2023-29413: Missing authentication for critical function that could lead to an unauthenticated attacker imposing a denial-of-service (DoS) condition. (CVSS v3.1 score: 7.5, “high”)

    Analyst comments:
    Denial-of-service flaws are especially dangerous for UPS devices located in data centers. Outages can have severe ramifications and DoS can also be used to block the remote management of devices.

    The above flaws impact:

  • APC Easy UPS Online Monitoring Software v2.5-GA-01-22320 and earlier Schneider Electric Easy UPS Online Monitoring Software v2.5-GA-01-22320 and earlier
  • The impact affects all Windows versions, including 10 and 11, and also Windows Server 2016, 2019, and 2022.

    Mitigation:
    The recommended action for users of the impacted software is to upgrade to V2.5-GS-01-23036 or later, available for download.

    Currently, the only mitigation for customers with direct access to their Easy UPS units is to upgrade to the PowerChute Serial Shutdown (PCSS) software suite on all servers protected by your Easy UPS OnLine (SRV, SRVL models), which provides serial shutdown and monitoring.

    General security recommendations provided by the vendor include placing mission-critical internet-connected devices behind firewalls, utilizing VPNs for remote access, implementing strict physical access controls, and avoiding leaving devices in “Program” mode.

    Source:
    https://www.bleepingcomputer.com/
    ne...al-unauthenticated-rce-flaws-in-ups-software/

    Contact Us for Threat Assistance Back to Current Threats

    • Just Starting?



    Contact LACyber for More Info



    Current Active Cyber Threats