Technical FAQs

Ask a Question

Security Notification: "GHOST" vulnerability (CVE-2015-0235) - impact to APC products

Issue

Does the Linux GHOST vulnerability (CVE-2015-0235) affect APC products?


Product Line
  • StruxureWare Data Center Expert (DCE)
  • StruxureWare Data Center Operation (DCO)
  • NetBotz Appliances
  • APC Network Management Cards
  • APC InfraStruXure Manager
  • APC Digital IP KVM Switches (KVM1116P, KVM2116P, KVM2132P)
  • PowerChute Network Shutdown Virtual Appliance


Environment

Linux/Unix Systems that utilize the GNU C Library (glibc).

Cause

A security problem has been found and patched in the GNU C Library called Glibc. It was announced on 27th January 2015. More information is available via US-CERT and other similar Cyber Security sources.

Resolution

02-FEBRUARY-2015

Information Notice: GHOST Vulnerability

Symptom - On 27-JAN-2015, the GNU C (glibc) Vulnerability, also called the "GHOST" Vulnerability (CVE-2015-0235) was detected and published by several Cyber Security outlets.

Effect - The vulnerability is a buffer overflow in the __nss_hostname_digits_dots() function used by gethostbyname() function calls and it allows arbitrary code execution from unauthenticated users.. It is called the GHOST vulnerability because it can be triggered by calling the gethostbyname() functions.  

Detailed Overview (via US-CERT)

The Linux GNU C Library (glibc) versions prior to 2.18 are vulnerable to remote code execution via a vulnerability in the gethostbyname function. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Linux distributions employing glibc-2.18 and later are not affected.

US-CERT recommends users and administrators refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch if affected. 



Schneider Electric's IT Business has conducted a vulnerability assessment on the following platforms and found the status of the current shipping versions as follows:
 
  • StruxureWare Data Center Operation (DCO) v7.4.X is operating a version of Linux which is affected. A patch for this vulnerability is available now at DCIM Support (link) and the vulnerability will be solved with the next release of StruxureWare Data Center Operation.
Resolution: Use the instructions available via DCIM Support (link) to patch DCO.
 
  • StruxureWare Data Center Expert (DCE) v7.2.6 is currently operating a version of Linux which is affected. All earlier versions are also affected. An hotfix for this is available directly through your local tech support (noted in article ID FA240227). Future revisions after 7.2.6 will include this hotfix.
 
  • NetBotz Appliances do not utilize the GNU C Library and are therefore not affected.
 
  • All Network Management Card (NMC) Applications do not utilize the GNU C Library and are therefore not affected.
 
  • All versions of ISX Manager (ISXM) are termed End Of Life, no updates will be made available for this platform.
 
  • PowerChute Network Shutdown Virtual Appliances v3.1 and v3.2 are affected. Detailed instructions on updating the appliance are located in knowledge base article ID FA239802.
     
Cyber Security is an important element of Schneider Electric's commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered. No other APC products or product families are known to be impacted at this time. Any identified additional impacts will be relayed to our customers in a timely manner via an updated disclosure.
 
Was this helpful?
What can we do to improve the information ?