ups APC SMART UPS vulnerability

[Thewarrantybreaker]

Summary

 A recent vulnerability has been discovered for APC smart UPS systems. The vulnerabilities can result in remote manipulation and potential damage to other controlled assets

 

Quotes

Quote

Why it matters: Three vulnerabilities were recently discovered affecting uninterruptable power supplies (UPS) made by APC. The vulnerability, classified as critical and high severity, is related to APC's SMT, SMC, SCL, SMX, SRT, and SMTL product lines. The TLS-based attacks can result in impacts ranging from physical damage of the device itself to unauthorized access to a target's internal networks. 

 

My thoughts

It might only a backup system but everything has a vulnerability that have to be discovered sooner before its .

 

Source:

https://www.techspot.com/news/93757-researchers-discover-critical-vulnerabilities-apc-smart-ups-devices.html

[Arika]

........why do you even need a smart UPS? it's a UPS.....

[OhioYJ]

3 minutes ago, Arika S said:

........why do you even need a smart UPS? it's a UPS.....

In a professional environment you may want to shutdown your server or restart it remotely. 

 

For home users, probably not needed. I have two APC UPS here at the house, neither connected to the network or using APCs software. So both just used in an "offline" manner.

[brwainer]

3 hours ago, Arika S said:

........why do you even need a smart UPS? it's a UPS.....

The company I’m at has over 5000 APC UPS’, all network connected. We have a dashboard that tells us if a UPS is being over-used (more wattage than it will support for our baseline number of minutes in an outage), when a unit’s battery needs to be replaced (and we can order the replacement to be drop-shipped direct from the dashboard, because every UPS has an address and contact info), and if there are any faults with a unit (consistent under or over voltage, internal hardware faults, and more).

 

Without this, it would require significantly more effort to keep track of the units. We know exactly how much work was being done by the NOC before we paid more for the network connected models and the dashboard, and we know that we saved more in labor costs per year than the hardware and license fees.

 

Some of the UPS models also have remote control of individual outlets, or outlet groups, and we also have APC PDUs in the same dashboard where we can control individual outlets.

[leadeater]

4 hours ago, Thewarrantybreaker said:

The TLS-based attacks can result in impacts ranging from physical damage

Ahhh... WTF!?

[wanderingfool2]

1 hour ago, leadeater said:

Ahhh... WTF!?

Hoping it's just a current theoretical kind of attack and not one currently in the wild (with a poc code).  Guess they could damage a decent amount of equipment by flipping the power to the equipment on and off....or I guess depending how controlled the voltages and power manage is by firmware send inconsistent voltages across the equipment.

 

Either way, this is always why it freaks me out a bit having devices that interact with a cloud not in my control that is attached to very sensitive equipment.

[Paul Thexton]

6 hours ago, OhioYJ said:

In a professional environment you may want to shutdown your server or restart it remotely. 

 

 

Anybody else fondly remember when we used to use SNMP for this stuff instead of having to send commands via a (sometimes subscription based) vendor hosted cloud service?

[leadeater]

3 hours ago, wanderingfool2 said:

Guess they could damage a decent amount of equipment by flipping the power to the equipment on and off....or I guess depending how controlled the voltages and power manage is by firmware send inconsistent voltages across the equipment.

Or changing the battery type to/from Lithium to VLRA or GEL. Or changing expected supply from 240V to 110V etc. Just horrible possibilities all around.

[leadeater]

3 hours ago, Paul Thexton said:

Anybody else fondly remember when we used to use SNMP for this stuff instead of having to send commands via a (sometimes subscription based) vendor hosted cloud service?

Thing is that is still done, APC pulls this basically for their own information for service requirements. We still do all our SNMP logging even with this cloud connectivity (just theory bro, we totally don't have APC UPSs with this cloud connectivity, move along).

[Taf the Ghost]

6 hours ago, leadeater said:

Ahhh... WTF!?

The APC Management software can access a lot of settings within the controller directly. I'm sure there's a way of bricking the UPS. 

 

I also am quiet happy to run all of mine in dummy modes, so at least I have that going for me. Unless there's some ability to breach a non-wifi air gap on them, lol.

[Paul Thexton]

1 hour ago, leadeater said:

Thing is that is still done, APC pulls this basically for their own information for service requirements. 

After I left a previous employer I was told that the management of the monitoring system was taken off the team I used to be on and given to another team (but management of the actual stuff remained where it was), who decided in their wisdom to re-implement it.  One day the guys got called in to the manager's office and were shouted at for all the network storage appliances being 1 hour out.

 

Apparently they had a 1 hour, er, frank discussion about what DST means, manager blurted out he didn't care and for them to fix it.

 

Turns out the "new" team decided to not use SNMP polling for them and instead enabled the web management interface and did a curl command to scrape the time from the webpage instead which was reporting in localtime instead of UTC New team refused to do it properly, and so the appliances were configured to use local time as the system time instead of UTC... which is just plain wrong.

 

That incompetence in that story still makes me angry to think about now over a decade later and I'd already left the company when it happened.

[Kisai]

On 3/13/2022 at 4:40 PM, Thewarrantybreaker said:

Summary

 A recent vulnerability has been discovered for APC smart UPS systems. The vulnerabilities can result in remote manipulation and potential damage to other controlled assets

 

Quotes

 

My thoughts

It might only a backup system but everything has a vulnerability that have to be discovered sooner before its .

 

Source:

https://www.techspot.com/news/93757-researchers-discover-critical-vulnerabilities-apc-smart-ups-devices.html

Good thing nobody uses the cloud features of those UPS systems.

No seriously, the last client I had that used them just said not to plug in the green ethernet port (which is the cloud management port, not to be confused with the actual remote management card.)

[Guest]

There has to be some business use for "smart battery backups" or whatever, but I wasn't using APC for a battery backup; I'm using a different brand of battery backup at the moment so it doesn't affect me as much

[brwainer]

10 hours ago, Kisai said:

Good thing nobody uses the cloud features of those UPS systems.

No seriously, the last client I had that used them just said not to plug in the green ethernet port (which is the cloud management port, not to be confused with the actual remote management card.)

We’re using APC’s StruxureWare which AFAIK is built on top of SmartConnect. Our newest UPS’ don’t have the separate remote monitoring cards in them. And there’s enough companies of our size doing the same that I’m not even divulging a security hole by saying this.

[leadeater]

1 hour ago, brwainer said:

We’re using APC’s StruxureWare which AFAIK is built on top of SmartConnect. Our newest UPS’ don’t have the separate remote monitoring cards in them. And there’s enough companies of our size doing the same that I’m not even divulging a security hole by saying this.

We use StruxureWare also but use SNMP still to gather all the data and only use the StruxureWare gateway server for the talking back to APC stuff. So we are/were mostly unaffected but have patched, because local attacks even if technically shouldn't be possible on such an isolated VLAN could be a thing.