FAQs durchsuchen
Treck TCP/IP Vulnerabilities (Ripple20)
Veröffentlichungsdatum:
09 January 2021
Issue:
In early May 2020, Schneider Electric was made aware of vulnerabilities within Treck Inc.’s embedded TCP/IP stack. Based on the data, information, and analysis provided at the time, Schneider Electric immediately assessed how those vulnerabilities affected our offers and issued a security notification alongside Treck’s public disclosure in June 2020, alerting customers to their risks and encouraging them to take immediate steps to mitigate and remediate those risks as quickly as possible.
On October 12, 2020, Schneider Electric was provided additional information and analysis related to how vulnerabilities in the Treck stack impact APC by Schneider Electric Network Management Cards. This new analysis indicates that the information we had previously received was incomplete. Therefore, the remediation previously provided for this offer is only partially effective. Accordingly, we have updated our original security notification and are expediting an updated remediation.
We continue to investigate if other Schneider Electric offers are impacted by the additional information we have received and will provide updates accordingly. In the meantime, customers should immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from the vulnerabilities within Treck Inc.’s embedded TCP/IP stack. Where appropriate, this includes locating their systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; and preventing mission-critical systems and devices from being accessed from outside networks.
To stay up to date on security notifications, please register for Schneider Electric Cybersecurity Notifications here: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp.
Product Line:
A full list of impacted offers can be found here: APC Specific Ripple20 Notification as well as the general Schneider Electric Ripple20 Security Notification
Resolution:
This issue (specific CVE associated with the issues are listed in the security notification here - https://www.se.com/ww/en/download/document/SEVD-2020-174-01/ ) will be resolved via firmware upgrade, links to the various applications are listed below. This kBase is dedicated only to provide APC Network Management Cards firmware updates.
Other NMC Applications will be added to the table as they are released
For support on performing a firmware upgrade, please visit https://www.apc.com/us/en/faqs/FA156047/.
NOTE: Certain vulnerability scanning software detects for the presense of the Treck stack, and the below firmware revisions may still scan as vulnerable although the issue has been fixed. Please contact the vendor of the scanning software to ensure the plugins have been updated to account for Treck fixes.
Available Remediations
Please revisit this page for future firmware updates relevant for your respective Schneider Electric products.
In early May 2020, Schneider Electric was made aware of vulnerabilities within Treck Inc.’s embedded TCP/IP stack. Based on the data, information, and analysis provided at the time, Schneider Electric immediately assessed how those vulnerabilities affected our offers and issued a security notification alongside Treck’s public disclosure in June 2020, alerting customers to their risks and encouraging them to take immediate steps to mitigate and remediate those risks as quickly as possible.
On October 12, 2020, Schneider Electric was provided additional information and analysis related to how vulnerabilities in the Treck stack impact APC by Schneider Electric Network Management Cards. This new analysis indicates that the information we had previously received was incomplete. Therefore, the remediation previously provided for this offer is only partially effective. Accordingly, we have updated our original security notification and are expediting an updated remediation.
We continue to investigate if other Schneider Electric offers are impacted by the additional information we have received and will provide updates accordingly. In the meantime, customers should immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from the vulnerabilities within Treck Inc.’s embedded TCP/IP stack. Where appropriate, this includes locating their systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; and preventing mission-critical systems and devices from being accessed from outside networks.
To stay up to date on security notifications, please register for Schneider Electric Cybersecurity Notifications here: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp.
Product Line:
- UPS Network Management Cards (NMC) (SmartSlot, pre-installed with Smart-UPS, Symmetra, Galaxy 3500, SUVT UPS, 3-phase Smart-UPS & Symmetra UPS)
- Devices with an embedded Network Management Card include Smart-UPS, Symmetra, Galaxy UPS, Metered/Switched Rack PDUs, Rack Automatic Transfer Switches, Environmental Monitoring Units, Cooling.
A full list of impacted offers can be found here: APC Specific Ripple20 Notification as well as the general Schneider Electric Ripple20 Security Notification
Resolution:
This issue (specific CVE associated with the issues are listed in the security notification here - https://www.se.com/ww/en/download/document/SEVD-2020-174-01/ ) will be resolved via firmware upgrade, links to the various applications are listed below. This kBase is dedicated only to provide APC Network Management Cards firmware updates.
Other NMC Applications will be added to the table as they are released
For support on performing a firmware upgrade, please visit https://www.apc.com/us/en/faqs/FA156047/.
NOTE: Certain vulnerability scanning software detects for the presense of the Treck stack, and the below firmware revisions may still scan as vulnerable although the issue has been fixed. Please contact the vendor of the scanning software to ensure the plugins have been updated to account for Treck fixes.
Available Remediations
| Product | Affected Version | Addressed CVEs |
Remediation/Mitigation |
Uninterruptible Power Supply (UPS) |
|||
NMC2 for UPS models including Smart-UPS, 1-Phase Symmetra, and Galaxy 3500 with Network Management Card 2 (NMC2): (SUMX, SY)
|
NMC2 AOS V6.9.4 and earlier |
CVE-2020-11902 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914 CVE-2020-11896 CVE-2020-11898 CVE-2020-11899 CVE-2020-11901 |
Version: v6.9.6 & later SUMX (SmartUPS & Galaxy 3500 SY (Single Phase Symmetra) SUMX & SY Release notes |
NMC2 for Symmetra PX 48/96/100/160 kW UPS (PX2)
|
PX2 PX2 Release notes |
||
NMC2 for Symmetra PX 20/40 kW UPS
|
SY3P SY3P Release notes |
||
| Network Management Card 3 (NMC3) Smart-UPS SmartSlot card models: (SU)
|
NMC3 AOS V1.3.3.1 and earlier |
CVE-2020-11902 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914 CVE-2020-11896 CVE-2020-11898 CVE-2020-11899 CVE-2020-11901 |
Version: v1.4 & later SU (SmartUPS & Galaxy 3500 SY (Single Phase Symmetra) Release notes |
APC 3-Phase Power Distribution Products |
|||
Network Management Card 2 (NMC2) for InfraStruxure 150 kVA PDU with 84 Poles (X84P)
Network Management Card 2 for InfraStruxure 40/60kVA PDU (XPDU)
Network Management Card 2 for Modular 150/175kVA PDU (XRDP) - PDPM150G6F, PDPM150L6F, PDPM175G6H Network Management Card 2 for 400 and 500 kVA PMM
Network Management Card 2 for Modular PDU/RPP (XRDP2G)
|
NMC2 AOS v6.9.4 and earlier | CVE-2020-11902 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914 CVE-2020-11896 CVE-2020-11898 CVE-2020-11899 CVE-2020-11901 |
Version 6.9.6 & later X84P X84P Release notes XPDU XPDU Release notes XRDP XRDP Release notes XRDP2G XRDP2G Release notes PMM PMM Release notes |
| APC Rack Power Distribution Units (PDU) Embedded NMC2:
|
NMC2 AOS v6.9.4 and earlier | CVE-2020-11902 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914 CVE-2020-11896 CVE-2020-11898 CVE-2020-11899 CVE-2020-11901 |
Version: v6.9.6 & later RPDU2G Release notes |
| Rack Automatic Transfer Switches (ATS) Embedded NMC2:
|
NMC2 AOS V6.9.4 and earlier | CVE-2020-11902 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914 CVE-2020-11896 CVE-2020-11898 CVE-2020-11899 CVE-2020-11901 |
Version: v6.9.6 & later ATS4G ATS4G Release notes |
| Environmental Monitoring Environmental Monitoring Unit with embedded NMC2
|
NMC2 AOS V6.9.4 and earlier | CVE-2020-11902 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914 CVE-2020-11896 CVE-2020-11898 CVE-2020-11899 CVE-2020-11901 |
Version: v6.9.6 & later NB250 Release notes |
Network Management Card 2 (NMC2) Cooling / Battery Management Products
|
NMC2 AOS V6.8.8 and earlier | CVE-2020-11902 CVE-2020-11904 CVE-2020-11905 CVE-2020-11906 CVE-2020-11907 CVE-2020-11909 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11913 CVE-2020-11914 CVE-2020-11896 CVE-2020-11898 CVE-2020-11899 |
Please contact your local support team |
| NMC2 AOS v6.9.4 and earlier | CVE-2020-11901 | Available for the following applications from your local support team:
|
|
Please revisit this page for future firmware updates relevant for your respective Schneider Electric products.