Updated: March 25, 2022
- The 3 vulnerabilities found have been formally classified (see below)
- APC has not released any software fixes to the 3 vulnerabilities
- Net Friends successfully disabled SmartConnect on all APC units to protect our customers
- CISSecurity.org has classified the risk for these vulnerabilities as MEDIUM for Small Businesses
The 3 vulnerabilities are listed below with their official Common Vulnerability and Exposures (CVE) identification numbers:
- CVE-2022-0715: An Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS if a key is leaked and used to upload malicious firmware.
- CVE-2022-22805: A Buffer Copy without Checking Size of Input vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled.
- CVE-2022-22806: An Authentication Bypass by Capture-replay vulnerability exists that could cause unauthenticated connection to the UPS when a malformed connection is sent.
Published: March 14, 2022
APC Notice from Net Friends:
We have recently learned that there is a critical vulnerability related to the network management interface on your APC uninterruptible power supply (UPS) supporting your network. Net Friends' Network Operations Center (NOC) team has immediately began investigating the potential impact and how to address it.
About SmartConnect Vulnerabilities
On March 8th, vulnerabilities were found on a remote monitoring tool that APC uses called SmartConnect. SmartConnect is a management interface that Net Friends uses to monitor the status of your APC units. A malicious person could exploit these vulnerabilities in SmartConnect to disrupt the power delivering on these units or perform actions that could damage the unit.
There are not any known ways to exploit these vulnerabilities to compromise any data, but a malicious person could cause an unplanned business continuity disruption. Unfortunately, there also is currently no update available that addresses this vulnerability. As noted, Net Friends' Network Operations Center (NOC) team immediately began investigating this vulnerability’s potential impact and ways to address it.
Who does this affect?
All NetCore customers who have an APC uninterruptible power supply supporting their network equipment.
Net Friends' Response
At this time, APC does not have a software solution to the vulnerabilities on any APC unit we support or sell.
We have determined that the safest course of action is to disable SmartConnect. This will be done without any downtime or negative impact on your systems.
However, we will not be able to directly monitor the status and health of your APC units until a software fix is found for these SmartConnect vulnerabilities. Please note that there will be no impact to customers from the changes that we’re making to isolate these vulnerabilities from the network.
Net Friends will take the SmartConnect management interface offline this week (the week of March 14, 2022). This is a manual action that has to be performed individually on each APC unit, so we cannot provide a precise date or time when our NOC team will take this interface offline.
Since APC has not released any software fixes for these vulnerabilities yet, we do not have an estimated time when we can restore SmartConnect and our remote monitoring capabilities. However, we will keep you posted with updates here on our blog.
Remote Mitigation & Patching
All of our work to mitigate this vulnerability will be performed remotely. When we are able to patch these vulnerabilities and restore SmartConnect, we expect to be able to perform this remotely as well.
If you have any further questions, please reach out to your Customer Success Manager or stay tuned while we continue to provide updates as we have them to give.
WHAT TO READ NEXT:
- Net Friends Receives SOC 2 Type II Attestation for Third Year
- Zero Cost Security Improvements to Protect Your Business
- How Do We Get to Universally Safe Networks?
Last Updated: March 25, 2022