News

APC Vulnerabilities Notice

Post by
Net Friends Icon
Net Friends
Updated: July 15, 2022

Update #3

  • The Network Operations Center (NOC) at Net Friends have updated procedures for all new APC devices deployed to first ensure they have the latest firmware patch that addresses these vulnerabilities. Our procedures confirm that the updates are to occur at our secure headquarters in Durham, NC before the APC units are deployed to customer sites.
  • The manual update of firmware adds at least 15 minutes to each APC deployment time, and notably has a 20% failure rate, requiring the firmware to be reapplied to correct the issue.
  • Leadership at Net Friends determined that there was not sufficient value for our customers to reconnect APC units to the network due to compensatory controls Net Friends has put in place.

Update #2

Update #1

  • The 3 vulnerabilities found have been formally classified (see below)
  • APC has not released any software fixes to the 3 vulnerabilities
  • Net Friends successfully disabled SmartConnect on all APC units to protect our customers
  • CISSecurity.org has classified the risk for these vulnerabilities as MEDIUM for Small Businesses

The 3 vulnerabilities are listed below with their official Common Vulnerability and Exposures (CVE) identification numbers:

- CVE-2022-0715: An Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS if a key is leaked and used to upload malicious firmware.

- CVE-2022-22805: A Buffer Copy without Checking Size of Input vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled.

- CVE-2022-22806: An Authentication Bypass by Capture-replay vulnerability exists that could cause unauthenticated connection to the UPS when a malformed connection is sent.

Published: March 14, 2022

APC Notice from Net Friends:

We have recently learned that there is a critical vulnerability related to the network management interface on your APC uninterruptible power supply (UPS) supporting your network. Net Friends' Network Operations Center (NOC) team has immediately began investigating the potential impact and how to address it.

(The Situation in Brief above reflects updates as of March 15, 2022)

About SmartConnect Vulnerabilities

On March 8th, vulnerabilities were found on a remote monitoring tool that APC uses called SmartConnect. SmartConnect is a management interface that Net Friends uses to monitor the status of your APC units. A malicious person could exploit these vulnerabilities in SmartConnect to disrupt the power delivering on these units or perform actions that could damage the unit.

There are not any known ways to exploit these vulnerabilities to compromise any data, but a malicious person could cause an unplanned business continuity disruption. Unfortunately, there also is currently no update available that addresses this vulnerability. As noted, Net Friends' Network Operations Center (NOC) team immediately began investigating this vulnerability’s potential impact and ways to address it.

Who does this affect?

All NetCore customers who have an APC uninterruptible power supply supporting their network equipment.

Net Friends' Response

Disabling SmartConnect

At this time, APC does not have a software solution to the vulnerabilities on any APC unit we support or sell.

We have determined that the safest course of action is to disable SmartConnect. This will be done without any downtime or negative impact on your systems.

However, we will not be able to directly monitor the status and health of your APC units until a software fix is found for these SmartConnect vulnerabilities. Please note that there will be no impact to customers from the changes that we’re making to isolate these vulnerabilities from the network.

When?

Net Friends will take the SmartConnect management interface offline this week (the week of March 14, 2022). This is a manual action that has to be performed individually on each APC unit, so we cannot provide a precise date or time when our NOC team will take this interface offline.

Since APC has not released any software fixes for these vulnerabilities yet, we do not have an estimated time when we can restore SmartConnect and our remote monitoring capabilities. However, we will keep you posted with updates here on our blog.

Remote Mitigation & Patching

All of our work to mitigate this vulnerability will be performed remotely. When we are able to patch these vulnerabilities and restore SmartConnect, we expect to be able to perform this remotely as well.

If you have any further questions, please reach out to your Customer Success Manager or stay tuned while we continue to provide updates as we have them to give.


WHAT TO READ NEXT:
- Net Friends Receives SOC 2 Type II Attestation for Third Year
- Zero Cost Security Improvements to Protect Your Business
- How Do We Get to Universally Safe Networks?

Last Updated: March 25, 2022

At Net Friends, we believe in the power of human expertise. While we leverage AI to enhance our content and processes, all blog posts are written and edited by our knowledgeable staff. You can trust you are getting insights directly from our team.

Contact our IT
Support Center 24/7

Option 1: Call (919) 680-3763
Option 2: Email - request@netfriends.com
Option 3: Complete the form below
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

If your support issue requires immediate assistance, please call our office. Email & web form submissions are only reviewed during business hours.