| VID |
29080 |
| Severity |
40 |
| Port |
23 |
| Protocol |
TCP |
| Class |
TELNET |
| Detailed Description |
The Telnet service on the APC device can be accessed via a "backdoor" password.
APC (American Power Conversion) SmartSwitch and UPS (uninterruptible power supply) products have a Web and SNMP management card installed that permits local serial console, TELNET, web and SNMP management, monitoring and mains power control of attached devices.
APC SmartSlot Web/SNMP management cards have a "backdoor" password that can be abused to extract plain text username/password details for all accounts and hence gain unauthorized full control of the device. The "backdoor" password is designed for use by the factory for initial configuration of the card, e.g. MAC Address, Serial Number etc. By connecting a console to the local serial port or TELNET service to the card with any username and the factory password 'TENmanUFactOryPOWER', an attacker could gain unauthorized full control of the affected device, which is possible to dump the contents of EEPROM which amongst other things stores the account usernames and passwords.
* References:
http://www.securityfocus.com/archive/1/354169
http://www.securiteam.com/securitynews/5MP0E2AC0M.html
* Platforms Affected:
SmartUPS 3000RM with AP9606 AOS v3.2.1 and SmartUPS App v3.2.6
MasterSwitch AP9212 with AP9606 AOS v3.0.3 and MasterSwitch App v2.2.0
Silcon DP3320E with Web/SNMP Management Card AP9606 - AOS v3.0.1
Silcon DP340E with Web/SNMP Management Card AP9606 - AOS v3.0.1 |
| Recommendation |
Apply the appropriate patch for your system, as listed in APC Security Advisory, 'Static Factory Password Vulnerability' at http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_sid=XvzUth4h&p_lva=&p_faqid=3131&p_created=1077139129&p_sp=cF9zcmNoPSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTQxOSZwX3BhZ2U9MQ**&p_li=
If for some reason a patch cannot be applied then:
A. Disable Telnet protocol until a patch can be applied (see appendix A at the URL above for instructions). If this is not possible then disconnect the product from the network until a patch can be applied.
B. If a console port server is connected to a vulnerable product's local serial port then ensure that the console port server forces user authentication prior to allowing login to the product. If this is not possible then disconnect the product from the console port server until a patch can be applied. |
| Related URL |
(CVE) |
| Related URL |
9681 (SecurityFocus) |
| Related URL |
(ISS) |
|
