Three vulnerabilities — two of them critical — were reported last week in the Easy UPS Online Monitoring Software from Schneider Electric’s American Power Conversion (APC).
In a security notification sent on April 19, Schneider Electric said companies that fail to apply the remediations the company supplied may risk remote code execution, escalation of privileges, or authentication bypass, which could potentially result in execution of malicious web code or loss of device functionality of the uninterruptible power supply (UPS).
The vulnerability affects hundreds of companies as Schneider Electric, along with Eaton and ABB, control roughly 30% of the global UPS market, which SkyQuest Technology Consulting expects will reach $10.3 billion by 2028.
Considering the heavy use of this software in datacenters, there’s the potential here to have a broad impact,” said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said it’s significant that one of Schneider Electric’s recommendations is to migrate from the affected network versions of the tool to the Serial/USB management tool instead.
“A threat actor gaining control of a network-enabled UPS monitoring and control system could, if they were so inclined, perform a fairly substantial DoS by powering down any of the systems the relied on the targeted power devices,” explained Parkin.
The three recent vulnerabilities disclosed by Schneider Electric included the following:
- CVE-2023-29411, a critical vulnerability with a 9.8 CVSS score: A Missing Authentication for Critical Function vulnerability that could allow changes to administrative credentials, leading to potential remote code execution without requiring prior authentication on the Java RMI interface.
- CVE-2023-29412, also a critical vulnerability with a 9.8 CVSS score: An Improper Handling of Case Sensitivity vulnerability that could cause remote code execution (RCE) when manipulating internal methods through Java RMI interface.
- CVE-2023-29413, a high severity vulnerability with a 7.5 CVSS score: A Missing Authentication for Critical Function vulnerability that could cause Denial-of-Service (DoS) when accessed by an unauthenticated user on the Schneider UPS Monitor service.
Schneider Electric published mitigations for the Easy UPS Online Monitoring Software for Windows 10 and 11, and Windows Server 2016, 2019 and 2022. The vendor also strongly recommends the following industry best practices:
- Locate control and safety systems and remote devices behind firewalls, and isolate them from the business network.
- Install physical controls so no unauthorized personnel can access the company’s industrial control and safety systems, components, peripheral equipment, and networks.
- Place all controllers in locked cabinets and never leave them in “Program” mode.
- Never connect programming software to any network other than the network for the devices that it’s intended for.
- Scan all mobile data exchange methods with the isolated network such as CDs and USB drives before use in the terminals or any node connected to these networks.
- Never let mobile devices that connected to any other network besides the intended network connect to the safety or control networks without proper sanitation
- Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
- When the company requires remote access, use a virtual private network, but understand that VPNs may have vulnerabilities and the security team must update them to the most current version available.