Security Notification: "POODLE" vulnerability - impact to APC products
On 14-OCT-2014, the GNU SSL 3.0 Protocol Vulnerability, also called the "POODLE" Vulnerability (CVE-2014-3566) was detected and published by several Cyber Security outlets. According to this vulnerability notification, SSL v3.0 should not be used any longer. TLS v1.2 is the recommended substitute.
StruxureWare Data Center Expert
StruxureWare Data Center Operation
APC Network Management Cards
APC InfraStruXure Manager
APC Digital IP KVMs
PowerChute Personal Edition
PowerChute Network Shutdown
PowerChute Business Edition
Network Shutdown Module
Cause/Overview (via US-CERT):
Many modern TLS clients can fall back to version 3.0 of the SSL protocol for compatibility. SSL v3.0 has been found to be vulnerable to a padding-oracle attack when Cipher-block chaining (CBC) mode is used. This is commonly referred to as the "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack. It is recommended that systems avoid using that fallback mechansim.
Schneider Electric's IT Business has conducted a vulnerability assessment on the following platforms and found the status of the current shipping versions as follows:
Data Center Operations (DCO) v7.4.0 is affected. A patch for this vulnerability will be available at DCIM Support (link) and in the released version v7.4.1.
Data Center Expert (DCE) v7.2.5 is affected. Version 7.2.6 is just released and resolves this issue. Please contact tech support for upgrade links for supported systems.
All Network Management Card 1 and 2 (NMC1 and NMC2) applications are affected and any future releases of these applications will address this vulnerability. Any updates will be made available via http://www.apc.com/tools/download/index.cfm. Note: Additional, detailed information is available in knowledge base article ID FA238115 due to recent browser changes affecting SSLv3 in the wake of POODLE.
To avoid this vulnerability, the answer is to not use SSL v3.0 in the communication path. Any corresponding client should also use TLS or support TLS_FALLBACK_SCSV. All users should verify this on the corresponding client to prevent any vulnerability.
All versions of ISX Manager (ISXM) is affected. As this product is termed End of Life, no updates will be made available.
APC Digital IP KVMs (KVM1116P, KVM2116P, KVM2132P) are affected. A firmware upgrade for this vulnerability will be available in December 2014.
PowerChute Personal Edition is not affected. It does not have a web interface and hence, is not vulnerable.
Network Shutdown Module (NSM) for Windows is affected. Ensure that your web browser client is patched to prevent POODLE attacks or disable the use of SSL v3.0 in your browser.
Network Shutdown Module (NSM) for Linux is vulnerable. Ensure that you close ports 4679 and 4680 from Internet facing traffic.
PowerChute Network Shutdown is affected. Ensure that your web browser client is patched to prevent POODLE attacks or disable the use of SSL v3.0 in your browser.
PowerChute Network Shutdown versions 3.1 and 3.2 Appliance for VMware are affected and should be updated.
to update the appliance
1 - from the onsole of the appliance type: yum update openssl
2 B- Transfer to the files to the appliance using SCP/SFTP
2 C- The command to update is rpm -U openssl-0.9.8e-32.el5_11.i686.rpm openssl-0.9.8e-32.el5_11.x86_64.rpm
PowerChute Business Edition Agent is affected. Ensure that your web browser client is patched to prevent POODLE attacks or disable the use of SSL v3.0 in your browser. It is recommended to close the port 2161 from Internet facing traffic.
PowerChute Business Edition Server and Console is affected. Ensure that the following ports are closed from Internet facing traffic.
2161 all versions of PowerChute Business Edition
2260 all versions of PowerChute Business Edition
Cyber Security is an important element of Schneider Electrics's commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered. No other APC products or product families are known to be impacted at this time. Any identified additional impacts will be relayed to our customers in a timely manner via an updated disclosure.