Browse FAQs

Treck TCP/IP Vulnerabilities (Ripple20)

Published date: 22 October 2020

Issue: 
Schneider Electric is aware of multiple vulnerabilities affecting Treck Inc.’s embedded TCP/IP stack, collectively known as Ripple20, which Treck disclosed publicly on June 16, 2020. Schneider Electric has determined multiple offers that are impacted.


On October 12, 2020, Schneider Electric received additional information and analysis from JSOF related to CVE-2020-11901’s impact on APC by Schneider Electric Network Management Cards (NMC) and NMC embedded devices. This new analysis indicates that the information we originally received was incomplete. Therefore, our original remediations are only partially effective for CVE-2020-11901. We are expediting updated remediations, which will be made available as soon as possible. In the meantime, customers should immediately apply the mitigations included in Remediation & Mitigations section of this document.

To stay up to date on security notifications, please register for Schneider Electric Cybersecurity Notifications here: https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp.

Product Line: 
  • UPS Network Management Cards (NMC) (SmartSlot, pre-installed with Smart-UPS, Symmetra, Galaxy 3500, SUVT UPS, 3-phase Smart-UPS & Symmetra UPS)
  • Devices with an embedded Network Management Card include Smart-UPS, Symmetra, Galaxy UPS, Metered/Switched Rack PDUs, Rack Automatic Transfer Switches, Environmental Monitoring Units, Cooling.

A full list of impacted offers can be found here: APC Specific Ripple20 Notification as well as the general Schneider Electric Ripple20 Security Notification 

Resolution:

This issue (specific CVE associated with the issues are listed in the security notification here - https://www.se.com/ww/en/download/document/SEVD-2020-174-01/ ) will be resolved via firmware upgrade, links to the various applications are listed below. This kBase is dedicated only to provide APC Network Management Cards firmware updates.

Other NMC Applications will be added to the table as they are released

For support on performing a firmware upgrade, please visit https://www.apc.com/us/en/faqs/FA156047/.

NOTE: Certain vulnerability scanning software detects for the presense of the Treck stack, and the below firmware revisions may still scan as vulnerable although the issue has been fixed. Please contact the vendor of the scanning software to ensure the plugins have been updated to account for Treck fixes.



Available Remediations

 
Product Affected Version Addressed
CVEs
Remediation/Mitigation

Uninterruptible Power Supply (UPS)
 

NMC2 for UPS models including Smart-UPS, 1-Phase Symmetra, and Galaxy 3500 with Network Management Card 2 (NMC2): (SUMX, SY)
  • AP9630/AP9630CH/AP9630J
  • AP9631/AP9631CH/AP9631J
  • AP9635/AP9635CH
NMC2 AOS V6.8.8
and earlier


 
CVE-2020-11902
CVE-2020-11904
CVE-2020-11905
CVE-2020-11906
CVE-2020-11907
CVE-2020-11909
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11913
CVE-2020-11914
CVE-2020-11896
CVE-2020-11898
CVE-2020-11899
Version: v6.9.2 & later

SUMX (SmartUPS & Galaxy 3500

SY (Single Phase Symmetra)

SUMX & SY Release notes

 
NMC2 for Symmetra PX 48/96/100/160 kW UPS (PX2)
  • AP9630/AP9630CH/AP9630J
  • AP9631/AP9631CH/AP9631J
  • AP9635/AP9635CH


PX2
PX2 Release notes
NMC2 for Symmetra PX 48/96/100/160 kW UPS (SY3P)
  • AP9630/AP9630CH/AP9630J
  • AP9631/AP9631CH/AP9631J
  • AP9635/AP9635CH


SY3P
SY3P Release notes
Network Management Card 3 (NMC3)
Smart-UPS SmartSlot card models: (SU)
  • AP9640/AP9640J
  • AP9641/AP9641J
NMC3 AOS V1.3.0.6
and earlier
Version: v1.3.3.1 & later

SU (SmartUPS & Galaxy 3500

SU Release notes



 
1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2)  (SUMX, SY, PX2, SY3P)
  • AP9630/AP9630CH/AP9630J
  • AP9631/AP9631CH/AP9631J
  • AP9635/AP9635CH
NMC2 AOS V6.9.4
and earlier


 
CVE-2020-11901 Coming Soon
Network Management Card 3 (NMC3)
 Smart-UPS SmartSlot card models: (SU)
  • AP9640/AP9640J
  • AP9641/AP9641J
NMC3 AOS V1.3.3.1
and earlier

APC 3-Phase Power Distribution Products
 
Network Management Card 2 (NMC2) for InfraStruxure 150 kVA PDU with 84 Poles (X84P)
  • PDPB150G6F

Network Management Card 2 for InfraStruxure 40/60kVA PDU (XPDU)
 
  • PD40G6FK1-M, PD40F6FK1-M, PD40L6FK1-M, PDRPPNX10 M,PD60G6FK1, PD60F6FK1, PD60L6FK1, PDRPPNX10, PD40E5EK20-M, PD40H5EK20-M

Network Management Card 2 for Modular 150/175kVA PDU (XRDP)
 -     PDPM150G6F, PDPM150L6F, PDPM175G6H


Network Management Card 2 for 400 and 500 kVA PMM
 
  • PMM400-ALA, PMM400-ALAX, PMM400-CUB, PMM500-ALA, PMM500-ALAX, PMM500-CUB

Network Management Card 2 for Modular PDU/RPP (XRDP2G)
 
  • PDPM72F-5U, PDPM138H-5U, PDPM144F, PDPM138H-R, PDPM277H, PDPM288G6H
NMC2 AOS V6.8.8
and earlier
CVE-2020-11902
CVE-2020-11904
CVE-2020-11905
CVE-2020-11906
CVE-2020-11907
CVE-2020-11909
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11913
CVE-2020-11914
CVE-2020-11896
CVE-2020-11898
CVE-2020-11899
Version 6.9.4 & later

X84P
X84P Release notes



XPDU
XPDU Release notes



XRDP
XRDP Release notes



PMM
PMM Release notes



XRDP2G
XRDP2G Release notes
NMC2 AOS v6.9.4 and earlier CVE-2020-11901 Coming Soon
APC Rack Power Distribution Units (PDU)

Embedded NMC2:
  • 2G Metered/Switched Rack PDUs with embedded NMC2
  • AP84XX, AP86XX, AP88XX, AP89XX
NMC2 AOS V6.8.8
and earlier
 
CVE-2020-11902
CVE-2020-11904
CVE-2020-11905
CVE-2020-11906
CVE-2020-11907
CVE-2020-11909
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11913
CVE-2020-11914
CVE-2020-11896
CVE-2020-11898
CVE-2020-11899
Version: v6.9.4 & later

RPDU2G
Release notes
NMC2 AOS v6.9.4 and earlier CVE-2020-11901 Coming Soon
Rack Automatic Transfer Switches (ATS)

Embedded NMC2:
  • Rack Automatic Transfer Switches - AP44XX
NMC2 AOS V6.8.8 and earlier
 
CVE-2020-11902
CVE-2020-11904
CVE-2020-11905
CVE-2020-11906
CVE-2020-11907
CVE-2020-11909
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11913
CVE-2020-11914
CVE-2020-11896
CVE-2020-11898
CVE-2020-11899
Version: v6.9.4 & later

ATS4G
ATS4G Release notes

 
NMC2 AOS v6.9.4 and earlier CVE-2020-11901 Coming Soon
Environmental Monitoring

Environmental Monitoring Unit with embedded NMC2
  • NetBotz NBRK0250
NMC2 AOS V6.8.8 and earlier
 
CVE-2020-11902
CVE-2020-11904
CVE-2020-11905
CVE-2020-11906
CVE-2020-11907
CVE-2020-11909
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11913
CVE-2020-11914
CVE-2020-11896
CVE-2020-11898
CVE-2020-11899
Version: v6.9.4 & later

NB250
Release notes
 
NMC2 AOS v6.9.4 and earlier CVE-2020-11901 Coming Soon
Network Management Card 2 (NMC2) Cooling Products
  • Aquaflair TSA/TRA Chiller Touchscreen Display (UNFLRTSA)
  • Uniflair LE Perimeter Cooling Display for SKUs: TDAV, TUAV, TDWV, TUWV, TDEV, TUEV, TDCV, TUCV, and HDCV  (UNFLRLE)
  • Uniflair LE DX Perimeter Cooling Display for SKUs: IDAV, IDEV, IDWV, IUAV, IUEV, IUWV, IXAV, IXEV, IXWV, LDAV, LDEV, and LDWV (LEDX2G)  
  • Uniflair LEL Perimeter Cooling Touchscreen Display for LDCV, and LUCV (UNFLRLEL)
  • InRow Cooling for series ACRP5xx, ACRP1xx, ACRD5xx, and ACRC5xx SKUs (ACRP2G)
  • InRow Cooling for series ACRC10x SKUs (RC10X2G)
  • InRow Cooling for series ACRD6xx and ACRC6xx SKUs  (ACRD2G)
  • InRow Cooling Display for series ACRD3xx (ACRC2G)
  • InRow Cooling Display for series ACRC3xx (RD3XX)
  • InRow Cooling for series ACSC1xx SKUs (SC2G)
  • InRow Cooling for series ACRD1xx and ACRD2xx (ACRPTK2G)
  • Ecoflair IAEC25/50 Air Economizer Display (EB2G)
  • Uniflair DSA Trim Chiller Display (TRMCHLR) 
  • Uniflair SP , UCF0481I, UCF0341I (UNFLRSP)
  • Uniflair AM Perimeter Cooling Display  SKUs: SDCC, SDCV, SDAC, ADAV, SDWC, SDWV, SUAC, SUAV, SUWC, SUWV (AMICO)
NMC2 AOS V6.8.8 and earlier CVE-2020-11902
CVE-2020-11904
CVE-2020-11905
CVE-2020-11906
CVE-2020-11907
CVE-2020-11909
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11913
CVE-2020-11914
CVE-2020-11896
CVE-2020-11898
CVE-2020-11899

Please contact your local support team

 
NMC2 AOS v6.9.4 and earlier CVE-2020-11901 Coming Soon


 Please revisit this page for future firmware updates relevant for your respective Schneider Electric products.
 

Was this helpful?

What can we do to improve the information ?

Can't find what you are looking for?

Reach out to our customer care team to receive information on technical support, assistance for complaints and more.