Positive Technologies uncovers critical vulnerabilities in APC uninterrupted power supplies
Attackers could remotely disable equipment protected by affected APC devices.
Positive Technologies experts Ilya Karpov, Evgeny Druzhinin, and Stephen Nosov have discovered four vulnerabilities in management cards for APC by Schneider Electric hardware. These uninterrupted power supply (UPS) units are used in various sectors. Two of the vulnerabilities received the maximum possible CVSS v3 score of 10, indicating a very high degree of risk.
Security issues were found in APC MGE SNMP/Web Card Transverse 66074 management cards, which are present in several series of UPS units: Galaxy 5000/6000/9000, EPS 7000/8000/6000, Comet UPS/3000, Galaxy PW/3000/4000, and STS (Upsilon and Epsilon).
The first vulnerability, CVE-2018-7243 (score 10), in the built-in web server (port 80/443/TCP) allows a remote attacker to bypass the authentication system and obtain full administrative access to the UPS, which jeopardizes the continued uptime of equipment connected to electrical power.
Schneider Electric recommends replacing vulnerable management cards with NMC kit G5K9635CH on the Galaxy 5000, Galaxy 6000, and Galaxy 9000. For the MGE EPS 7000 and MGE EPS 8000, the vendor recommends installing NMC kit G9KEPS9635CH. For other affected units, no replacement cards are available. The vendor also recommends following cybersecurity best practices in order to minimize risks.
The second vulnerability found in the built-in web server (port 80/443/TCP) enables an attacker to obtain sensitive information about the UPS unit (CVE-2018-7244, score 5.3).
Exploitation of the third vulnerability (CVE-2018-7245, score 7.3) can result in an unauthorized user changing the settings of the device, including disable parameters. To address these two vulnerabilities, users must, on the access control page, enable authentication for all HTML pages (this can be selected by the user during initial setup of the UPS).
With the fourth vulnerability (CVE-2018-7246, score 10), a remote attacker can intercept administrator account credentials. If SSL is not activated on the UPS, account credentials are sent in cleartext when the access control page is requested. The vendor advises specifying SSL as the default mode and applying special precautions to limit access to administration interfaces, such as by using Modbus RTU in combination with a Modbus/SNMP gateway.