This information is for anyone using an APC or Merlin Gerin UPS (e.g. a Smart-UPS, Symmetra or Galaxy) fitted with a SmartSlot web management card for remote access, or if you're using an APC power distribution unit with built in web management.
You may have connected your SmartSlot card, or had someone install it for you, changed the password for the APC account and thought you're all done, but you'd be wrong.
Take a look at the list of users in Administration -> Security (on an AP9617, AP9618 or AP9619 card or early PDU) or Configuration -> Security -> Local Users -> Management (on an AP9630, AP9631 or AP9635 card or newer PDU).
See that "device" account? Some instructions online say that it's not an account to care about. Well let's see, shall we?
Log out first of all, then try logging in with that device account, with its default password of apc.
It's not a full administrator account but there's quite a bit which can be configured. The account can also be used to control the UPS or PDU outlets, either immediately or on a schedule.
A default username and password straight from the instruction book and we can shut the whole thing down. Still think it's not an account to care about?
If you're using the device account, for example through APC PowerChute over the network, you should definitely change its password. If you're not using it, delete it.
If your UPS's web page can be reached by anyone not authorised to meddle with it - even if you've not published its location anywhere - then it's even more important to ensure that both passwords are secured, otherwise someone could find and sign into your UPS with the default username and password and, well, you've just seen what can be done.
This device account has been known about as a vulnerability since at least as far back as 2004, so it's not exactly news, but it's not exactly widely publicised either, and if your card is running old firmware the account is still enabled by default. It took until August 2019 and version 6.8.0 before the default accounts got disabled unless the passwords were changed. The card used for the above screenshot was manufactured in September 2019 but came with version 6.6.4 from August 2018, despite version 6.7.2 being released in May 2019 and 6.8.0 in August 2019, but let's upgrade to the latest version anyway and see what difference it makes. At the time of writing the latest is version 7.0.4, released in July 2021.
No difference at all. As can be seen in the top-right corner of the screenshot, the device account still works, even though APC's release notes could lead you to believe it would be disabled. The APC account is supposed to insist the password be changed before proceeding, and that hasn't happened either. Only if the card is subsequently reset to factory defaults will these new security measures come into place.
Still, this should be a timely reminder to upgrade your UPS or PDU firmware and more importantly to check the default account settings, before someone else does.
Incidentally this doesn't relate to the recently announced TLStorm vulnerability of SmartConnect-enabled UPSes. There's a firmware upgrade for that as well, which can be remotely pushed through the SmartConnect portal.
No comments:
Post a Comment