May 2015, several weaknesses in the Diffie-Hellman Key Exchange that could lead to security vulnerabilities in protocols such as HTTPS that rely on TLS 1.2 and earlier were published on the following website - https://weakdh.org/
. This is known as the Logjam attack (CVE-2015-4000). Product Line:
PowerChute Business Edition 9.2 and olderEnvironment:
OS: Linux, Solaris, Windows x64, x86Cause/Overview:
- Logjam attack against the TLS protocol: “The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.”
- Threats from State Adversaries: The use of pre-computed prime numbers that are 1024 bits in size or less in the Diffie-Helman key exchange can be exploited with varying levels of difficulty:
- 512-bit – An individual user can break this.
- 768-bit – University level resources required.
- 1024-bit – Nation-State level resources required.
Upgrade to PowerChute Business Edition 10.x
Schneider Electric's IT Business has conducted a vulnerability assessment and found that PowerChute Business Edition Agent and Server version 9.2 and below are affected.
At this time, PowerChute Business Edition Server cannot be modified to protect against the Logjam vulnerability. It is therefore recommended to upgrade or to block remote access to TCP Ports 2260 and 2160 except for trusted machines. Since the private JRE used by PowerChute Business Edition is shared.
Cyber Security is an important element of Schneider Electric's commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered. No other APC products or product families are known to be impacted at this time. Any identified additional impacts will be relayed to our customers in a timely manner via an updated disclosure.