Security Notification: "LOGJAM" vulnerability - impact to PowerChute Business Edition
On 20th May 2015, several weaknesses in the Diffie-Hellman Key Exchange that could lead to security vulnerabilities in protocols such as HTTPS that rely on TLS 1.2 and earlier were published on the following website - https://weakdh.org/. This is known as the Logjam attack (CVE-2015-4000).
PowerChute Business Edition
OS: Linux, Solaris, Windows x64, x86
Logjam attack against the TLS protocol: “The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.”
Threats from State Adversaries: The use of pre-computed prime numbers that are 1024 bits in size or less in the Diffie-Helman key exchange can be exploited with varying levels of difficulty:
512-bit – An individual user can break this.
768-bit – University level resources required.
1024-bit – Nation-State level resources required.
Schneider Electric's IT Business has conducted a vulnerability assessment and found that PowerChute Business Edition Agent and Server are affected.
At this time, PowerChute Business Edition Server cannot be modified to protect against the Logjam vulnerability as using Solution #1 below will prevent access to the Server via the Console application. It is therefore recommended to block remote access to TCP Ports 2260 and 2160 except for trusted machines. Since the private JRE used by PowerChute Business Edition is shared, Solution #1 cannot be used if Server and Agent are both running on the same machine.
Solution #1 should be used for PowerChute Business Edition agents that are not managed by PowerChute Business Edition Server and Console.
Solution #2 should be used for Agents that are managed by the Server and where Agent/Server are running on the same machine. Solution #2 does not prevent a LOGJAM attack for PowerChute Business Edition Server.
Note: Customers using PowerChute Business Edition versions prior to version 9.0 will need to upgrade to the latest version of PowerChute Business Edition.
Solution #1: PowerChute Business Edition Agents not managed by PowerChute Business Edition Server and Console
Carry out the following step for every operating system where PowerChute Business Edition Agent is deployed:
Stop the PowerChute Business Edition Agent service/daemon
net stop apcpbeagent Linux:
3. Run the attached script to add the following JRE system property to the PowerChute configuration – “-Djdk.tls.ephemeralDHKeySize=2048” – Diffie-Hellman ephemeral key sizes of 1024 bits or less are vulnerable to Logjam attacks by Nation States. A key size of 2048 bits is considered secure from such an attack.
As an Administrator on Windows:
Run Update _PCBEAgent.ps1 on PowerShell compatible machines
Run Update _PCBEAgent.vbs on non PowerShell compatible machines
As a super user on Linux:
Download the tar file Update_PCBEAgent.tar to a directory on your machine
Extract the single file Update_PCBEAgent.sh file and execute it.
4. Start the PowerChute Business Edition Agent service/daemon
net start apcpbeagent
Cyber Security is an important element of Schneider Electric's commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered. No other APC products or product families are known to be impacted at this time. Any identified additional impacts will be relayed to our customers in a timely manner via an updated disclosure.