Does the Heartbleed OpenSSL vulnerability affect APC products?
On 07-APR-2014, the "Heartbleed" Vulnerability, also called the "Heartbeat" Vulnerability (CVE-2014-0160) was detected and published by several Cyber Security outlets.
- StruxureWare Data Center Expert
- StruxureWare Data Center Operation
- APC Network Management Cards
- PowerChute Network Shutdown
- PowerChute Business Edition
- APC Remote Monitoring Service (RMS)
- APC Digital IP KVM Switches (KVM1116P, KVM2116P, KVM2132P)/KVM Access Software
- MGE Network Shutdown Module Software, v3.07.01
- SSL authentication applications
Reported vulnerabilities in OpenSSL - CVE-2014-0160
Detailed description of the issue and some FAQ's can be found here and here.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Schneider Electrics' Data Center Business has conducted a vulnerability assessment on the following platforms and found current shipping versions of each are not affected by the Heartbleed vulnerability.
- Data Center Operations (DCO) is currently operating with OpenSSL v0.9.8 and is therefore not affected.
- Data Center Expert (DCE) is currently operating with OpenSSL v1.0.0 and is therefore not affected.
- NetBotz Appliances are currently operating with OpenSSL v0.9.8b and is therefore not affected.
- All Network Management Card (NMC) Applications do not utilize OpenSSL and are therefore not affected.
- PowerChute Network Shutdown is not affected. PowerChute Network Shutdown version 3.1 Appliance for VMware utilizes v0.9.8e.
- PowerChute Business Edition is not affected. PowerChute Business Edition utilizes OpenSSL version 0.9.4.
- APC Remote Monitoring Service (RMS) is not affected because it does not utilize OpenSSL.
- APC Digital IP KVM Switches (KVM1116P, KVM2116P, KVM2132P) & the accompanying KVM Access Software utilize OpenSSL v0.9.7 and therefore are not affected.
- MGE Network Shutdown Module v3.07.01 for Windows uses the OpenSSL v1.0.1e which is vulnerable to the Heartbleed bug. Network Shutdown Module v3.06.04 for Linux is not impacted.
- To recover, upgrade all instances of Network Shutdown Module for Windows to v3.07.02 (available @ https://www.apc.com/tools/download/index.cfm and select "Software Upgrade - MGE Accessories" in the Software Filter and click submit.) and change your user credentials. Please read the Release Notes for further information.
Cyber Security is an important element of Schneider Electrics' commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered.
For customers or researchers to report a potential vulnerability incident, please check the following site: