Security Notification: "POODLE" vulnerability - impact to APC products

Issue

On 14-OCT-2014, the GNU SSL 3.0 Protocol Vulnerability, also called the "POODLE" Vulnerability (CVE-2014-3566) was detected and published by several Cyber Security outlets. According to this vulnerability notification, SSL v3.0 should not be used any longer. TLS v1.2 is the recommended substitute.


Product Line

• StruxureWare Data Center Expert
• StruxureWare Data Center Operation
• NetBotz Appliances
• APC Network Management Cards
• APC InfraStruXure Manager
• APC Digital IP KVMs
• PowerChute Personal Edition
• PowerChute Network Shutdown
• PowerChute Business Edition
• Network Shutdown Module

Cause/Overview (via US-CERT):

Many modern TLS clients can fall back to version 3.0 of the SSL protocol for compatibility. SSL v3.0 has been found to be vulnerable to a padding-oracle attack when Cipher-block chaining (CBC) mode is used. This is commonly referred to as the "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack. It is recommended that systems avoid using that fallback mechanism.


Resolution

Schneider Electric's IT Business has conducted a vulnerability assessment on the following platforms and found the status of the current shipping versions as follows:

• Data Center Operations (DCO) v7.4.0 is affected. A patch for this vulnerability will be available at DCIM Support (link) and in the released version v7.4.1.

• Data Center Expert (DCE) v7.2.5 is affected. Version 7.2.6 is just released and resolves this issue. Please contact tech support for upgrade links for supported systems.

• NetBotz Appliances v4.4 are affected. A patch that mitigates this issue is available in version 4.4.1. Please see knowledge base article ID FA240226 for more detail.

• All Network Management Card 1 and 2 (NMC1 and NMC2) applications are affected and any future releases of these applications will address this vulnerability. Any updates will be made available via https://www.apc.com/tools/download/index.cfm. Note: Additional, detailed information is available in knowledge base article ID FA238115 due to recent browser changes affecting SSLv3 in the wake of POODLE.
  • To avoid this vulnerability, the answer is to not use SSL v3.0 in the communication path. Any corresponding client should also use TLS or support TLS_FALLBACK_SCSV. All users should verify this on the corresponding client to prevent any vulnerability.

• All versions of ISX Manager (ISXM) is affected. As this product is termed End of Life, no updates will be made available.

• APC Digital IP KVMs (KVM1116P, KVM2116P, KVM2132P) are affected. A firmware upgrade for this vulnerability will be available in December 2014.

• PowerChute Personal Edition is not affected. It does not have a web interface and hence, is not vulnerable.

• Network Shutdown Module (NSM) for Windows is affected. Ensure that your web browser client is patched to prevent POODLE attacks or disable the use of SSL v3.0 in your browser.

• Network Shutdown Module (NSM) for Linux is vulnerable. Ensure that you close ports 4679 and 4680 from Internet facing traffic.

• PowerChute Network Shutdown is affected. Ensure that your web browser client is patched to prevent POODLE attacks or disable the use of SSL v3.0 in your browser.
  • PowerChute Network Shutdown versions 3.1 and 3.2 Appliance for VMware are affected and should be updated.
    • to update the appliance
      • 1 - from the console of the appliance type:
        yum update openssl
      • 2 A- If the appliance does not have internet access you can download the needed update files to a system that has Internet access from
        http://mirror.centos.org/centos-5/5.11/updates/x86_64/RPMS/openssl-0.9.8e-32.el5_11.i686.rpm
        http://mirror.centos.org/centos-5/5.11/updates/x86_64/RPMS/openssl-0.9.8e-32.el5_11.x86_64.rpm
      • 2 B- Transfer to the files to the appliance using SCP/SFTP
      • 2 C- The command to update is rpm -U openssl-0.9.8e-32.el5_11.i686.rpm openssl-0.9.8e-32.el5_11.x86_64.rpm

• PowerChute Business Edition Agent is affected. Ensure that your web browser client is patched to prevent POODLE attacks or disable the use of SSL v3.0 in your browser. It is recommended to close the port 2161 from Internet facing traffic.

• PowerChute Business Edition Server and Console is affected. Ensure that the following ports are closed from Internet facing traffic.
  • 2161 all versions of PowerChute Business Edition
  • 2260 all versions of PowerChute Business Edition

Cyber Security is an important element of Schneider Electrics's commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered. No other APC products or product families are known to be impacted at this time. Any identified additional impacts will be relayed to our customers in a timely manner via an updated disclosure.

Released for:APC United Arab Emirates