APC’s Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether.
Uninterruptible Power Supply (UPS) devices are vital in safeguarding data centers, server farms, and smaller network infrastructures by ensuring seamless operation amidst power fluctuations or outages.
APC (by Schneider Electric) is one of the most popular UPS brands. Its products are widely deployed on both the consumer and corporate markets, including governmental, healthcare, industrial, IT, and retail infrastructure.
Earlier this month, the vendor published a security notification to warn about the following three flaws impacting its products:
- CVE-2023-29411: Missing authentication for critical function allowing an attacker to change admin credentials and execute arbitrary code on the Java RMI interface. (CVSS v3.1 score: 9.8, “critical”)
- CVE-2023-29412: Improper handling of case sensitivity allowing an attacker to run arbitrary code when manipulating internal methods through the Java RMI interface. (CVSS v3.1 score: 9.8, “critical”)
- CVE-2023-29413: Missing authentication for critical function that could lead to an unauthenticated attacker imposing a denial-of-service (DoS) condition. (CVSS v3.1 score: 7.5, “high”)
While denial-of-service (DoS) flaws are generally not considered very dangerous, as many UPS devices are located in data centers, the consequences of such an outage are magnified as it could block the remote management of devices.
The above flaws impact:
- APC Easy UPS Online Monitoring Software v2.5-GA-01-22320 and earlier
- Schneider Electric Easy UPS Online Monitoring Software v2.5-GA-01-22320 and earlier
The impact affects all Windows versions, including 10 and 11, and also Windows Server 2016, 2019, and 2022.
The recommended action for users of the impacted software is to upgrade to V2.5-GS-01-23036 or later, available for download from here (APC, SE).
Currently, the only mitigation for customers with direct access to their Easy UPS units is to upgrade to the PowerChute Serial Shutdown (PCSS) software suite on all servers protected by your Easy UPS OnLine (SRV, SRVL models), which provides serial shutdown and monitoring.
General security recommendations provided by the vendor include placing mission-critical internet-connected devices behind firewalls, utilizing VPNs for remote access, implementing strict physical access controls, and avoiding leaving devices in “Program” mode.
Recent research focusing on APC products revealed dangerous flaws collectively called ‘TLStorm,’ which could give hackers control of vulnerable and exposed UPS devices.
Soon after the publication of TLStorm, CISA warned of attacks targeting internet-connected UPS devices, urging users to take immediate action to block the attacks and protect their devices.