Help
  • Get started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Brand Logo
Help
  • Get started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
close
  • Community Home
  • Forums
    • By Topic
    • By Topic
      EcoStruxure Building
      • Field Devices Forum
      • SmartConnector Forum
      EcoStruxure Power & Grid
      • Gateways and Energy Servers
      • Metering & Power Quality
      APC UPS, Critical Power, Cooling and Racks
      • APC UPS Data Center & Enterprise Solutions Forum
      • APC UPS for Home and Office Forum
      EcoStruxure IT
      • EcoStruxure IT forum
      • EcoStruxure IT™ Advisor CFD
      Remote Operations
      • EcoStruxure Geo SCADA Expert Forum
      • Remote Operations Forum
      Industrial Automation
      • Alliance System Integrators Forum
      • AVEVA Plant SCADA Forum
      • CPG Expert Forum DACH
      • EcoStruxure Automation Expert / IEC 61499 Forum
      • Fabrika ve Makina Otomasyonu Çözümleri
      • Harmony Control Customization Forum
      • Industrial Edge Computing Forum
      • Industry Automation and Control Forum
      • Korea Industrial Automation Forum
      • Machine Automation Forum
      • Modicon PAC Forum
      • PLC Club Indonesia
      Schneider Electric Wiser
      • Schneider Electric Wiser Forum
      Power Distribution IEC
      • Eldistribution & Fastighetsautomation
      • Elektrik Tasarım Dağıtım ve Uygulama Çözümleri
      • Paneelbouw & Energie Distributie
      • Power Distribution and Digital
      • Solutions for Motor Management
      • Specifiers Club ZA Forum
      • Електропроектанти България
      Power Distribution NEMA
      • Power Monitoring and Energy Automation NAM
      Power Distribution Software
      • EcoStruxure Power Design Forum
      • LayoutFAST User Group Forum
      Energy & Sustainability Services
      • Green Building Scoring and Certification Forum
      Light and Room Control
      • SpaceLogic C-Bus Forum
      Solutions for your Business
      • Solutions for your Business Forum
      Support
      • Ask the Community
  • Knowledge Center
    • Building Automation Knowledge Base
    • Geo SCADA Knowledge Base
    • Industrial Automation How-to videos
    • Digital E-books
    • Success Stories Corner
  • Events & Webinars
    • All Events
    • Innovation Talks
    • Innovation Summit
    • Let's Exchange Series
    • Partner Success
    • Process Automation Talks
    • Technology Partners
  • Ideas
    • EcoStruxure Building
      • EcoStruxure Building Advisor Ideas
      Remote Operations
      • EcoStruxure Geo SCADA Expert Ideas
      • Remote Operations Devices Ideas
      Industrial Automation
      • Modicon Ideas & new features
  • Blogs
    • By Topic
    • By Topic
      EcoStruxure Power & Grid
      • Backstage Access Resources
      EcoStruxure IT
      • EcoStruxure IT™ Advisor CFD
      Remote Operations
      • Remote Operations Blog
      Industrial Automation
      • Industrie du Futur France
      • Industry 4.0 Blog
      Power Distribution NEMA
      • NEMA Power Foundations Blog
      Energy & Sustainability Services
      • Active Energy Management Blog
      Light and Room Control
      • KNX Blog
      Knowledge Center
      • Digital E-books
      • Geo SCADA Knowledge Base
      • Industrial Automation How-to videos
      • Success Stories Corner
  • companyImpact

APC 8653 vulnerability

APC UPS Data Center & Enterprise Solutions Forum

Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Communities
  • APC UPS, Critical Power, Cooling and Racks
  • APC UPS Data Center & Enterprise Solutions Forum
  • APC 8653 vulnerability
Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we?ll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
Top Experts
User Count
BillP
Administrator BillP Administrator
5026
voidstar_apc
Janeway voidstar_apc
195
Erasmus_apc
Sisko Erasmus_apc
111
TheNotoriousKMP_apc
Sisko TheNotoriousKMP_apc
108
View All

Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Solved Go to Solution
Back to APC UPS Data Center & Enterprise Solutions Forum
Solved
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM

0 Likes
9
1445
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM

APC 8653 vulnerability

This question was originally posted by Stavros on APC forums on 2/17/2021


Our InfoSec team has highlighted a security vulnerability in our AP8635 running code 6.8.0, with the following details

SSL Certificate Signed Using Weak Hashing Algorithm:
The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. Through cryptanalysis, a third party may be able to find the shared secret ina short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plaintext or potentially violate the integrity of connections.
And they gave us the following remediation

Contact the Certificate Authority to have the SSL certificate reissued or Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.

 

 

I have tried re issuing the certificate but i could not see any options regarding the cryptography, is there any way to adjust the above?

Labels
  • Labels:
  • Racks, Rack Accessories, & Cooling
Reply
Share
  • All forum topics
  • Previous Topic
  • Next Topic

Accepted Solutions
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM

0 Likes
0
1445
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM

This reply was originally posted by Stavros on APC forums on 2/19/2021


Hello Gavan!

I have managed to successfully import the SSL certificate to the device!! 

After some collaboration with the sysadmin team we found out that the signed certificate needed a special template from the CA that include enhanced key usage

Thank you very much for you help here

Have a lovely weekend

Regards
Stavros

See Answer In Context

Reply
Share
Replies 9
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM

0 Likes
0
1445
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM

This reply was originally posted by Gavan on APC forums on 2/18/2021


Hi Stavros,

You'll need to create your own certificate making sure that your enterprise CA issues the appropriate certificate.

SecWizCLI

https://schneider-electric.app.box.com/file/603908305568

How To;

https://schneider-electric.box.com/s/nri2472wb3n6gtngnc2irqp41tx6j6bq

I'd also note that FW6.8.0 has more vulnerabilities that you have not listed, please upgrade your device to FW6.9.6:

https://www.se.com/ww/en/faqs/FA410359/

-Gavan

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM

0 Likes
0
1445
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM

This reply was originally posted by Stavros on APC forums on 2/18/2021


Hello Gavan

Many thanks for the above information. it is very helpful.

When i go to my device downloads i cannot find 6.9.6 listed.  It says the latest is 6.8.0.

https://www.apc.com/shop/cy/en/tools/software-firmware?Nr=OR%28sku.partNum%3ASFDIPW503%2Csku.partNum...

I always use that page to look for new firmware, is there anywhere else i need to look at?

Regards,

Stavros

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM

0 Likes
0
1445
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM

This reply was originally posted by Gavan on APC forums on 2/18/2021


There is a link in my first post.

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM

0 Likes
0
1445
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM

This reply was originally posted by Stavros on APC forums on 2/18/2021


Hi Gavan

I am restricted by company policy to visit box.com as it falls into the category of file sharing.

Is there a link hosted by APC anywhere?

Thanks
Stavros

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM

0 Likes
0
1445
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM

This reply was originally posted by Gavan on APC forums on 2/19/2021


To be honest we use box.com for most things, I'm not sure if it is somewhere else.

Can you try a personal computer or hotspot?

-Gavan

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM . Last Modified: ‎2023-02-06 02:06 AM

0 Likes
0
1445
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM . Last Modified: ‎2023-02-06 02:06 AM

This reply was originally posted by Stavros on APC forums on 2/19/2021


Hello Gavan

Many thanks for replying, I have managed to put the software on the work computer.

I have successfully upgraded my AP8653 to version 6.9.6.

I had a lot of troubles with the NMCSecurityWizardCLIUtility. 

First of all, version 1.0.1 does not work and throws an unhandled exception like this when trying to import the cert:


NMC Security Wizard Command Line Utility v1.0.1 (c) Copyright 2018 Schneider Electric. All rights reserved. ----------------------------------------------------------------------------- Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3 at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile) at NMCSecurityWizardCLI.Program.Main(String[] args) 

In order to successfully import the certificate I had to use version 1.0.0 found here.

After successfully creating the *.p15 cert using the signed cert and private key I tried to import to the NMC2 and the status was stuck at "Loading certificate...."

In the event logs I saw the following 

 02/19/2021 12:57:55 System SSL: Certificate generation complete.
 02/19/2021 12:56:30 System SSL: Certificate generation started.
 02/19/2021 12:56:29 System SSL Error: Invalid certificate.

I saw on this forum post, that other people had my problem in earlier versions of AOS but there was no solution other than downgrading.

We are using Microsoft CA and web server template to sign the certificate

Has there ever been a solution?  What else can I try in order to successfully import the certificate?

Thanks
Stavros

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM

0 Likes
0
1445
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM

This reply was originally posted by Gavan on APC forums on 2/19/2021


That forum post listed wouldn't have an impact on what you trying to do.

Did you follow the guide attached?

I see that you have also create a ticket for your issues, I'd advise that you upload the unsigned .p15, CSR, cer/crt returned from your CA and the signed .p15 to the case as well as the command used to create it.

-Gavan

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM

0 Likes
0
1444
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM

This reply was originally posted by Stavros on APC forums on 2/19/2021


Hello Gavan

I believe I followed the guide by the letter.   It would be good if the error gave a little bit more information.

I have not opened a case myself.  I have although asked my reseller about this so he might have opened one

I will try re doing the procedure on a different device with a different version and come back here with the results. Is there anything else I can do?

Regards,
Stavros

Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-07-29 11:29 PM

0 Likes
0
1446
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-07-29 11:29 PM

This reply was originally posted by Stavros on APC forums on 2/19/2021


Hello Gavan!

I have managed to successfully import the SSL certificate to the device!! 

After some collaboration with the sysadmin team we found out that the signed certificate needed a special template from the CA that include enhanced key usage

Thank you very much for you help here

Have a lovely weekend

Regards
Stavros

Reply
Share
Preview Exit Preview

never-displayed

You must be signed in to add attachments

never-displayed

Additional options
You do not have permission to remove this product association.
 
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this forum after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the forum - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account?Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2023 Schneider Electric, Inc