Threat Advisory

APC warns of critical unauthenticated RCE flaws in UPS software

Threat: Vulnerability
Criticality: High

Summary:

Attackers might take control of devices and, in the worst case, completely disable their functionality using APC's Easy UPS Online Monitoring Software, which is vulnerable to unauthenticated arbitrary remote code execution. By ensuring uninterrupted service in times of power fluctuations or outages, UPS systems are essential for protecting data centers, server farms, and smaller network infrastructures.

One of the most well-known UPS brands is APC (by Schneider Electric). Its products are widely used in both consumer and business industries, including infrastructure for government, healthcare, industrial, information technology, and retail.

  • CVE-2023-29411: An attacker might modify the admin credentials and run arbitrary code on the Java RMI interface due to a critical feature that was missing authentication. (CVSS v3.1 score: 9.8, "critical")
  • CVE-2023-29412: An attacker might execute arbitrary code by manipulating internal methods through the Java RMI interface due to improper handling of case sensitivity. (CVSS v3.1 score: 9.8, "critical")
  • CVE-2023-29413: Critical function missing authentication, which could allow an unauthorized attacker to cause a denial-of-service (DoS) issue. (CVSS v3.1 score: 7.5, "high")

Given that many UPS devices are found in data centers, denial-of-service (DoS) issues are typically not regarded as being highly harmful, but the effects of such an outage are exacerbated because it can prevent remote device maintenance.

The following is the effect of the above flaws:

  • Versions 2.5-GA-01-22320 and earlier of the APC Easy UPS Online Monitoring Software
  • Versions 2.5-GA-01-22320 and earlier of the Schneider Electric Easy UPS Online Monitoring Software

All Windows versions, including 10 and 11, as well as Windows Server 2016–2019–2022, will be impacted. The only available solution for users who have direct access to their Easy UPS units is to upgrade all servers covered by your Easy UPS OnLine (SRV, SRVL models) to the PowerChute Serial Shutdown (PCSS) software suite, which offers serial shutdown and monitoring.

Recommendations:

  • We strongly recommend you upgrade your APC Easy UPS Online Monitoring Software and Schneider Electric Easy UPS Online Monitoring Software to Version V2.5-GS-01-23036 or later.

References:

The following reports contain further technical details:

https://www.bleepingcomputer.com/news/security/apc-warns-of-critical-unauthenticated-rce-flaws-in-ups-software/

crossmenu