-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APC Security Advisory - Static factory password vulnerability

Who should read this:

Customers with products that have APC's hardware-based network
management cards installed. APC products that use these cards to
attach to the network via a direct ethernet or token ring connection,
or via a console port server, may be affected (see "How to Determine
if Your Model Is Affected" for more detail).


Problem Summary:

APC's hardware-based network management cards could be compromised by
non-privileged users via Telnet or the local serial port using a
static factory password. This vulnerability was reported by a
customer. APC is not aware of any malicious use of the vulnerability
prior to this disclosure.


Impact:

The exploitation of this issue can result in unauthorized control of
these devices.


Mitigating Factors :

- - APC Network Management Cards (models AP9617, AP9618, and AP9619)
using AOS v2.0.0 (apc_hw02_aos_200.bin) and later are NOT
vulnerable via the network port (Telnet or SSH).

- - Many firewalls typically block Telnet (well-known port 23) limiting
the scope of the vulnerability to intranets.

- - Vulnerability via the local serial port requires physical access
unless it is connected to a console port server or similar device.

- - Web and SNMP interfaces are not affected.

How To Determine If Your Model Is Affected:

1. Examine the products listed below. If your UPS or other device
has an AP9606, AP9617, AP9618, or AP9619 card installed then APC
recommends you upgrade the card's firmware. Note that in some
instances a firmware upgrade requires updating two files, the AOS
card operating system and the application file for the device the
card is installed in.

2. If you are not sure whether your UPS or device has one of these
cards installed, examine the unit's faceplate for the following:

    AP9606 Web/SNMP Management Card
    AP9617 Network Management Card EX
    AP9618 Network Management Card EM/MDM
    AP9619 Network Management Card EM

Your device may still contain a network management card, please refer
to your user manual for further information.

3. This advisory does not apply to any products based on Network
Management Card-based AOS revision apc_hw02_aos_212a.bin and later.

Recommendations:

Find your product in the tables below and determine if you have
an affected revision. If your product is affected then download and
apply an update patch.

You may upgrade to a newer application revision that has been
fixed or stay at the same application revision for those that
are listed.  Only devices with network support are affected.

Update patches can be downloaded directly from APC's web site at:
http://www.apc.com/go/direct/index.cfm?tag=sa2988_patch

If for some reason an update patch cannot be applied then:

A. Disable Telnet protocol until a patch can be applied (see appendix
A for instructions). If this is not possible then disconnect the
product from the network until a patch can be applied.

B. If a console port server is connected to a vulnerable product's
local serial port then ensure that the console port server forces
user authentication prior to allowing login to the product. If this
is not possible then disconnect the product from the console port
server until a patch can be applied.

- ---------------------------------------------------------------------
NMC-enabled                     Affected           Fixed In
Product Description             AOS Rev  APP  Rev  AOS Rev  APP  Rev
- ---------------------------------------------------------------------
Smart-UPS                       aos 105  sumx 105  aos 107b sumx 105
                                    115       115      118c      115
                                    125       120      126b      120
                                    125       125      126b      125
                                    211       210      212a      210

Symmetra, Symmetra RM           aos 105  sy   105  aos 107b sy   105
                                    115       116      118c      116
                                    120       120      126b      120
                                    211       210      212a      210

Symmetra PX                     aos 105  sy3p 105  aos 107b sy3p 105
                                    115       115      118c      115
                                    211       210      212a      210

Silcon                          aos 105  dp3e 105  aos 107b dp3e 105
                                    115       116      118c      116

Automatic Transfer Switch       aos 105  ats  106  aos 107b ats  106

DC Systems Products (MX28B)     aos 106  mx28 110  aos 107b mx28 110

Switched Rack PDU               aos 116  rpdu 102  aos 118c rpdu 102

MasterSwitch Plus               aos 116  msp  100  aos 118c msp  100

Note: The AOS and APP firmware revisions listed in this table are
shorthand for the full filename found from the download page. The
full filenames will be apc_hw02_AOS_REV.bin and
apc_hw02_APP_REV.bin.

Zipped versions of both AOS and APP revsions are availiable for all
combinations.  The full filenames for the zipped versions will be
apc_hw02_AOSREV_APPREV.exe.

If your firmware revision is not listed, please upgrade to the
latest fixed revision.
- ---------------------------------------------------------------------

- ---------------------------------------------------------------------
AP9606-enabled                  Affected           Fixed In
Product Description             AOS Rev  APP  Rev  AOS Rev  APP  Rev
- ---------------------------------------------------------------------
Smart-UPS                       all earlier revs   aos 326b sumx 326a

Symmetra                        all earlier revs   aos 326b sy   326a

Silcon                          all earlier revs   aos 326b dp3e 326a

DC Systems Products (MX28B)     all earlier revs   aos 306b dm3k 105a

Environmental Monitoring Unit   all earlier revs   aos 326b em   205a

MasterSwitch (all)              all earlier revs   aos 309a ms   225a

MasterSwitch Plus               all earlier revs   aos 258b msp  205a

MasterSwitch VM                 all earlier revs   aos 258b msvm 115a

Note: The AOS and APP firmware revisions listed in this table are
shorthand for the full filename found from the download page. The
full filenames will be AOSREV.bin and APPREV.bin.

If your firmware revision is not listed, please upgrade to the
latest fixed revision.
- ---------------------------------------------------------------------

Patches will not be provided for these products:
SmartSlot SNMP Management Adapter (AP9605)
External SNMP Management Adapter(AP9205)
Token Ring Management Card (AP9603)
APC recommends that you disable any Telnet interface if present or
remove the network connection from the card.

All other APC product families are unaffected.


Exploitation and Public Announcements:

APC is not aware of any malicious use of the vulnerability described
in this advisory. The vulnerability described in this advisory was
originally found by Dave Tarbott.


Status of this notice: INTERIM

THIS IS AN INTERIM ADVISORY. ALTHOUGH APC CANNOT GAURANTEE THE
ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN
CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING
UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL
CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE
FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR
PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE
DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY,
AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.

IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR
EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS
OF PROFITS ARSING OUT OF THE USE OR IMPLEMENTATION OF THE
INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR
TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS
BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING
THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.


Distribution:
This advisory will be posted on APC's worldwide website at:
http://www.apc.com/go/direct/index.cfm?tag=sa2988

Future updates of this advisory, if any, will be place on APC's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revisions:

Revision 1.0
2003-February-18
Initial Public Release


References:

http://www.oit.duke.edu/security/encryption/


Copyright:

This notice is Copyright 2004 by APC. This notice may be
redistributed freely after the release date given at the top of the
text, provided that redistributed copies are complete and unmodified,
and include all date and version information.


Appendix A - Instructions for disabling Telnet access:

To disable telnet from the HTML interface for all network products:

Login to the Web interface using the administrator account
Choose Network in the navigation menu
Choose Telnet sub-option in the navigation menu
Select Disable Telnet Access, click Apply
Click the Logout link in the navigation menu
Telnet is now disabled


To disable telnet from the Telnet interface for all network products:

Login to the Telnet interface using the administrator account
Choose Network from the menu
Choose Telnet from the menu
Choose Access from the menu
Choose Disable from the selections
Choose Accept Changes from the menu
Type <ESC> twice to return to main menu
Choose logout from the menu
Telnet is now disabled

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQDP/r4SPqbaFzuaMEQKAdgCeNooY5bqVeeXmibg4baPw9aoht4wAoLcP
Ch31+yCqjiuI8KCxehInzR4Y
=Jf0E
-----END PGP SIGNATURE-----