Trev, thank you for the notice.
Please, in the future avoid posting security notifications leading to 3rd parties like the register. While I agree that probably the majority of people get first notice from 3rd parties, always paste the AUTHORITATIVE links involved as well as links for any firmware. If you want to plug The Register, or wherever you got the info from, I'd appreciate you doing that at the END of the links.
I STRONGLY encourage users to apply this patch to ONE UPS and TEST. Please report back. In particular we have had some recent reports of SMC's not working with apcupsd and firmware updates were needed to get them to work. The fixes for modbus will be included in these patches and there may also be some UPSes that have never had firmware updates before with spotty support for apcupsd.
apcupsd does not use TLS or HTTPS to communicate with UPSes so it's not affected by these vulnerabilities. The CGI scripts and other methods of accessing apcupsd that involve using a webserver or other server that offers TLS could be attacked, however.
Embedded device support of HTTPS has always been spotty. There have been multiple security holes found in the past such as KRACK and Heartbleed. It is well known in the industry that embedded device manufacturers re-use code from the major Open Source Software packages (busybox, linux, etc.) and since they distribute their devices with compiled binary firmware it is difficult to casually examine to make sure they are using current versions. Because of this I strongly recommend NOT allowing embedded devices to be exposed to the Internet EVEN IF you are exposing a "secure" port such as https.
Best practice for remote access is to expose either an RDP Gateway port (using the free RD Gateway and RADIUS software from Microsoft if you are Windows shop, and use a MFA service) or a VNC server if you are a Linux shop (I use UltraVNC) to a "bastion" host (restrict incoming VNC to ONE machine in the DMZ and requiring a second login to access machines in the network) or setup a purpose-built VPN server that uses MultiFactor Authentication (openVPN with individual keys distributed, the free Untangle server is easy to use for this) or a Cisco AnyConnect server (such as a Firepower or ASA couple with Cisco DUO setup for multi-factor authentication)
Here are the links:
Cybersecurity notifications | Schneider Electric Global
Security Notification - APC Smart-UPS SMT, SMC, SMX, SCL, SMTL and SRT Series Security and Safety Notice | Schneider Electric
How do I update the firmware of my SRT/SMC/XU/XP/SMX/SMT/SCL/SRC/CHS series Smart-UPS using the Firmware Upgrade Wizard? - APC USA
Ted
durosity wrote:I don't suppose there's ever gonna be a Python 3 version of this plugin? I still use it to monitor 3 UPSes and whilst it's not mission critical it is a handy wee tool!
berkinet wrote:Probably not unless someone beside me does it. I no longer have an APC UPS to test with.
DaveL17 wrote:berkinet wrote:Probably not unless someone beside me does it. I no longer have an APC UPS to test with.
I'm not sure the plugin is publicly available at the moment. I followed the Google Drive link and didn't have access to view/download the file. I would need to see the code before committing to taking a run at updating it.
DaveL17 wrote:I'm on the APCUPSD Listserve and still get messages via that. I don't think there's much going on in the way of development (of the Daemon), but the last time Apple broke compatibility, a fix came along fairly quickly.
durosity wrote:Oh wait, the forum won't allow me to upload it. If anyone wants a copy just send me a PM and I'll send a link.
MartyS wrote:durosity wrote:Oh wait, the forum won't allow me to upload it. If anyone wants a copy just send me a PM and I'll send a link.
You have the version that I'm maintaining at GitHub. Have you made any code changes to it since it was released? If so, please submit a pull request so I can get those before I do too much Python 3 conversion.
Users browsing this forum: No registered users and 0 guests