Heads up, UPS users! Schneider Electric has patched numerous severe vulnerabilities in its APC Easy UPS Online Monitoring software. Exploiting these flaws could allow remote code execution and DoS attacks on target devices.
APC Easy Online Monitoring Software Vulnerabilities
According to a recent advisory from Schneider Electric, the vendors have patched three different security vulnerabilities in its APC Easy UPS Online Monitoring Software.
Specifically, two of these vulnerabilities could allow remote code execution attacks from an adversary. Whereas a third vulnerability could let the attacker induce denial of service on the target devices.
Below is a quick review of these vulnerabilities.
- CVE-2023-29411 (CVSS 9.8): It’s a critical severity vulnerability that could allow an attacker to modify admin credentials. Exploiting the flaw could lead to remote code execution on the Java RMI interface. Schneider Electric has credited the researcher Esjay from the Trend Micro Zero Day Initiative for reporting the vulnerability.
- CVE-2023-29412 (CVSS 9.8): Another critical severity flaw that existed due to improper handling of case sensitivity. Exploiting the flaw could allow a remote attacker to manipulate internal methods via the Java RMI interface and execute codes. This vulnerability caught the attention of two researchers, Esjay from the Trend Micro Zero Day Initiative and Nicholas Miles from the Tenable Network Security.
- CVE-2023-29413 (CVSS 7.5): It’s a high-severity vulnerability that could allow an unauthenticated adversary to induce denial of service on the target Schneider UPS Monitor service. The advisory acknowledges Esjay from Trend Micro ZDI for reporting this issue.
Recommended Mitigations And Patched Updates
The vendor explained that these vulnerabilities affect the Easy Ups Software clients for Windows 10 and 11 and Windows Server 2016, 2019, and 2022. However, Schneider Electric has presently released the patches for the Windows 10 version only. The updated software versions include the APC Easy UPS Online Monitoring Software Version V2.5-GA-01-23036 and Schneider Electric Easy UPS Online Monitoring Software version V2.5-GS-01-23036.
Nonetheless, for Windows 11 and Windows Server 2016, 2019, and 2022 users, the vendors recommend updating the Easy UPS units with the PowerChute Serial Shutdown (PCSS) software on all servers protected by your Easy UPS On-Line (SRV, SRVL models) as mitigation.
Let us know your thoughts in the comments.