APC Security Advisory - Static factory password vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APC Security Advisory - Static factory password vulnerability
Who should read this:
Customers with products that have APC's hardware-based network
management cards installed. APC products that use these cards to
attach to the network via a direct ethernet or token ring connection,
or via a console port server, may be affected (see "How to Determine
if Your Model Is Affected" for more detail).
Problem Summary:
APC's hardware-based network management cards could be compromised by
non-privileged users via Telnet or the local serial port using a
static factory password. This vulnerability was reported by a
customer. APC is not aware of any malicious use of the vulnerability
prior to this disclosure.
Impact:
The exploitation of this issue can result in unauthorized control of
these devices.
Mitigating Factors :
- - APC Network Management Cards (models AP9617, AP9618, and AP9619)
using AOS v2.0.0 (apc_hw02_aos_200.bin) and later are NOT
vulnerable via the network port (Telnet or SSH).
- - Many firewalls typically block Telnet (well-known port 23) limiting
the scope of the vulnerability to intranets.
- - Vulnerability via the local serial port requires physical access
unless it is connected to a console port server or similar device.
- - Web and SNMP interfaces are not affected.
How To Determine If Your Model Is Affected:
1. Examine the products listed below. If your UPS or other device
has an AP9606, AP9617, AP9618, or AP9619 card installed then APC
recommends you upgrade the card's firmware. Note that in some
instances a firmware upgrade requires updating two files, the AOS
card operating system and the application file for the device the
card is installed in.
2. If you are not sure whether your UPS or device has one of these
cards installed, examine the unit's faceplate for the following:
AP9606 Web/SNMP Management Card
AP9617 Network Management Card EX
AP9618 Network Management Card EM/MDM
AP9619 Network Management Card EM
Your device may still contain a network management card, please refer
to your user manual for further information.
3. This advisory does not apply to any products based on Network
Management Card-based AOS revision apc_hw02_aos_212a.bin and later.
Recommendations:
Find your product in the tables below and determine if you have
an affected revision. If your product is affected then download and
apply an update patch.
You may upgrade to a newer application revision that has been
fixed or stay at the same application revision for those that
are listed. Only devices with network support are affected.
Update patches can be downloaded directly from APC's web site at:
http://www.apc.com/go/direct/index.cfm?tag=sa2988_patch
If for some reason an update patch cannot be applied then:
A. Disable Telnet protocol until a patch can be applied (see appendix
A for instructions). If this is not possible then disconnect the
product from the network until a patch can be applied.
B. If a console port server is connected to a vulnerable product's
local serial port then ensure that the console port server forces
user authentication prior to allowing login to the product. If this
is not possible then disconnect the product from the console port
server until a patch can be applied.
- ---------------------------------------------------------------------
NMC-enabled Affected Fixed In
Product Description AOS Rev APP Rev AOS Rev APP Rev
- ---------------------------------------------------------------------
Smart-UPS aos 105 sumx 105 aos 107b sumx 105
115 115 118c 115
125 120 126b 120
125 125 126b 125
211 210 212a 210
Symmetra, Symmetra RM aos 105 sy 105 aos 107b sy 105
115 116 118c 116
120 120 126b 120
211 210 212a 210
Symmetra PX aos 105 sy3p 105 aos 107b sy3p 105
115 115 118c 115
211 210 212a 210
Silcon aos 105 dp3e 105 aos 107b dp3e 105
115 116 118c 116
Automatic Transfer Switch aos 105 ats 106 aos 107b ats 106
DC Systems Products (MX28B) aos 106 mx28 110 aos 107b mx28 110
Switched Rack PDU aos 116 rpdu 102 aos 118c rpdu 102
MasterSwitch Plus aos 116 msp 100 aos 118c msp 100
Note: The AOS and APP firmware revisions listed in this table are
shorthand for the full filename found from the download page. The
full filenames will be apc_hw02_AOS_REV.bin and
apc_hw02_APP_REV.bin.
Zipped versions of both AOS and APP revsions are availiable for all
combinations. The full filenames for the zipped versions will be
apc_hw02_AOSREV_APPREV.exe.
If your firmware revision is not listed, please upgrade to the
latest fixed revision.
- ---------------------------------------------------------------------
- ---------------------------------------------------------------------
AP9606-enabled Affected Fixed In
Product Description AOS Rev APP Rev AOS Rev APP Rev
- ---------------------------------------------------------------------
Smart-UPS all earlier revs aos 326b sumx 326a
Symmetra all earlier revs aos 326b sy 326a
Silcon all earlier revs aos 326b dp3e 326a
DC Systems Products (MX28B) all earlier revs aos 306b dm3k 105a
Environmental Monitoring Unit all earlier revs aos 326b em 205a
MasterSwitch (all) all earlier revs aos 309a ms 225a
MasterSwitch Plus all earlier revs aos 258b msp 205a
MasterSwitch VM all earlier revs aos 258b msvm 115a
Note: The AOS and APP firmware revisions listed in this table are
shorthand for the full filename found from the download page. The
full filenames will be AOSREV.bin and APPREV.bin.
If your firmware revision is not listed, please upgrade to the
latest fixed revision.
- ---------------------------------------------------------------------
Patches will not be provided for these products:
SmartSlot SNMP Management Adapter (AP9605)
External SNMP Management Adapter(AP9205)
Token Ring Management Card (AP9603)
APC recommends that you disable any Telnet interface if present or
remove the network connection from the card.
All other APC product families are unaffected.
Exploitation and Public Announcements:
APC is not aware of any malicious use of the vulnerability described
in this advisory. The vulnerability described in this advisory was
originally found by Dave Tarbott.
Status of this notice: INTERIM
THIS IS AN INTERIM ADVISORY. ALTHOUGH APC CANNOT GAURANTEE THE
ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN
CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING
UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL
CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE
FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR
PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE
DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY,
AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.
IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR
EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS
OF PROFITS ARSING OUT OF THE USE OR IMPLEMENTATION OF THE
INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR
TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS
BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING
THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.
Distribution:
This advisory will be posted on APC's worldwide website at:
http://www.apc.com/go/direct/index.cfm?tag=sa2988
Future updates of this advisory, if any, will be place on APC's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revisions:
Revision 1.0
2003-February-18
Initial Public Release
References:
http://www.oit.duke.edu/security/encryption/
Copyright:
This notice is Copyright 2004 by APC. This notice may be
redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
and include all date and version information.
Appendix A - Instructions for disabling Telnet access:
To disable telnet from the HTML interface for all network products:
Login to the Web interface using the administrator account
Choose Network in the navigation menu
Choose Telnet sub-option in the navigation menu
Select Disable Telnet Access, click Apply
Click the Logout link in the navigation menu
Telnet is now disabled
To disable telnet from the Telnet interface for all network products:
Login to the Telnet interface using the administrator account
Choose Network from the menu
Choose Telnet from the menu
Choose Access from the menu
Choose Disable from the selections
Choose Accept Changes from the menu
Type <ESC> twice to return to main menu
Choose logout from the menu
Telnet is now disabled
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQDP/r4SPqbaFzuaMEQKAdgCeNooY5bqVeeXmibg4baPw9aoht4wAoLcP
Ch31+yCqjiuI8KCxehInzR4Y
=Jf0E
-----END PGP SIGNATURE-----