Updated: July 15, 2022
- The Network Operations Center (NOC) at Net Friends have updated procedures for all new APC devices deployed to first ensure they have the latest firmware patch that addresses these vulnerabilities. Our procedures confirm that the updates are to occur at our secure headquarters in Durham, NC before the APC units are deployed to customer sites.
- The manual update of firmware adds at least 15 minutes to each APC deployment time, and notably has a 20% failure rate, requiring the firmware to be reapplied to correct the issue.
- Leadership at Net Friends determined that there was not sufficient value for our customers to reconnect APC units to the network due to compensatory controls Net Friends has put in place.
- APC released software fixes in June 2022, which are available here: https://www.se.com/us/en/download/document/APC_SUMX_708_EN/
- A fantastic and thorough explanation of the way the critical vulnerabilities could be exploited can be found here: https://www.armis.com/research/tlstorm/
- The Network Operations Center (NOC) at Net Friends is undergoing an assessment of whether there are sufficient benefits to be had to re-connect APC devices to the network.
- The 3 vulnerabilities found have been formally classified (see below)
- APC has not released any software fixes to the 3 vulnerabilities
- Net Friends successfully disabled SmartConnect on all APC units to protect our customers
- CISSecurity.org has classified the risk for these vulnerabilities as MEDIUM for Small Businesses
The 3 vulnerabilities are listed below with their official Common Vulnerability and Exposures (CVE) identification numbers:
- CVE-2022-0715: An Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS if a key is leaked and used to upload malicious firmware.
- CVE-2022-22806: An Authentication Bypass by Capture-replay vulnerability exists that could cause unauthenticated connection to the UPS when a malformed connection is sent.
Published: March 14, 2022
APC Notice from Net Friends:
We have recently learned that there is a critical vulnerability related to the network management interface on your APC uninterruptible power supply (UPS) supporting your network. Net Friends' Network Operations Center (NOC) team has immediately began investigating the potential impact and how to address it.
About SmartConnect Vulnerabilities
On March 8th, vulnerabilities were found on a remote monitoring tool that APC uses called SmartConnect. SmartConnect is a management interface that Net Friends uses to monitor the status of your APC units. A malicious person could exploit these vulnerabilities in SmartConnect to disrupt the power delivering on these units or perform actions that could damage the unit.
There are not any known ways to exploit these vulnerabilities to compromise any data, but a malicious person could cause an unplanned business continuity disruption. Unfortunately, there also is currently no update available that addresses this vulnerability. As noted, Net Friends' Network Operations Center (NOC) team immediately began investigating this vulnerability’s potential impact and ways to address it.
Who does this affect?
All NetCore customers who have an APC uninterruptible power supply supporting their network equipment.
Net Friends' Response
At this time, APC does not have a software solution to the vulnerabilities on any APC unit we support or sell.
We have determined that the safest course of action is to disable SmartConnect. This will be done without any downtime or negative impact on your systems.
However, we will not be able to directly monitor the status and health of your APC units until a software fix is found for these SmartConnect vulnerabilities. Please note that there will be no impact to customers from the changes that we’re making to isolate these vulnerabilities from the network.
Net Friends will take the SmartConnect management interface offline this week (the week of March 14, 2022). This is a manual action that has to be performed individually on each APC unit, so we cannot provide a precise date or time when our NOC team will take this interface offline.
Since APC has not released any software fixes for these vulnerabilities yet, we do not have an estimated time when we can restore SmartConnect and our remote monitoring capabilities. However, we will keep you posted with updates here on our blog.
Remote Mitigation & Patching
All of our work to mitigate this vulnerability will be performed remotely. When we are able to patch these vulnerabilities and restore SmartConnect, we expect to be able to perform this remotely as well.
If you have any further questions, please reach out to your Customer Success Manager or stay tuned while we continue to provide updates as we have them to give.
Last Updated: March 25, 2022