Security Bulletin: Critical Vulnerability in APC Batteries

(Last Updated: 3/25/2022)

A major security vulnerability has recently been identified for network-connected backup batteries made by APC (Schneider Electric).

For more context, a detailed writeup from the firm that discovered this vulnerability can be found here.

Backup batteries are often installed with file servers and network equipment to make sure that these essential devices can remain on during a brief power outage. Connecting these batteries to the network, while not necessary for them to perform their basic function, allows network managers to monitor power-related events and total power consumption of connected equipment.

The vulnerability in question is not likely to be used broadly and most offices will not be in danger unless specifically targeted, but its potential consequences are severe enough that susceptible devices must not be left unprotected.

At Macktez, we are in the process of reviewing our own records to make sure that any impacted clients receive the firmware updates they need to remain protected. We are also asking all Macktez clients to review their network racks and all server equipment to make us aware of any backup batteries we don’t know about.

While reviewing equipment, clients should confirm the following:
– Is there a device in the rack or on the floor near the network or server equipment that other devices are plugged into for power (like a power strip but much more substantial)?
– Does the device have an “APC” logo on the front?
– Is there an attached ethernet networking cable plugged into the back of the device, where power cables are plugged in?

If the answer to all of these questions is “Yes” please let the Macktez Team know immediately so that appropriate action can be taken. No equipment updates are required if backup batteries are confirmed to have no ethernet cable connected.

Finally, a general reminder for all our clients to be careful about adding any new equipment to office networks. A wide array of “internet of things” and “smart” devices are available and becoming as common in offices as TVs and coffee makers. The new technology is exciting, but the Macktez Team should be informed about all devices connected to the networks we support, including any device able to access the office WiFi. These kinds of devices often have substandard security policies and should be added to the network in a way that keeps all equipment and data safely protected.