APC 8653 vulnerability

BillP · ‎2021-07-29

Our InfoSec team has highlighted a security vulnerability in our AP8635 running code 6.8.0, with the following details

SSL Certificate Signed Using Weak Hashing Algorithm:

The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. Through cryptanalysis, a third party may be able to find the shared secret ina short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plaintext or potentially violate the integrity of connections.

And they gave us the following remediation

Contact the Certificate Authority to have the SSL certificate reissued or Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.

I have tried re issuing the certificate but i could not see any options regarding the cryptography, is there any way to adjust the above?

BillP · ‎2021-07-29

Hello Gavan!

I have managed to successfully import the SSL certificate to the device!!

After some collaboration with the sysadmin team we found out that the signed certificate needed a special template from the CA that include enhanced key usage

Thank you very much for you help here

Have a lovely weekend

Regards
Stavros

See Answer In Context

BillP · ‎2021-07-29

Hi Stavros,

You'll need to create your own certificate making sure that your enterprise CA issues the appropriate certificate.

SecWizCLI

https://schneider-electric.app.box.com/file/603908305568

How To;

https://schneider-electric.box.com/s/nri2472wb3n6gtngnc2irqp41tx6j6bq

I'd also note that FW6.8.0 has more vulnerabilities that you have not listed, please upgrade your device to FW6.9.6:

https://www.se.com/ww/en/faqs/FA410359/

-Gavan

BillP · ‎2021-07-29

Hello Gavan

Many thanks for the above information. it is very helpful.

When i go to my device downloads i cannot find 6.9.6 listed. It says the latest is 6.8.0.

BillP · ‎2021-07-29

There is a link in my first post.

BillP · ‎2021-07-29

Hi Gavan

I am restricted by company policy to visit box.com as it falls into the category of file sharing.

Is there a link hosted by APC anywhere?

Thanks
Stavros

BillP · ‎2021-07-29

To be honest we use box.com for most things, I'm not sure if it is somewhere else.

Can you try a personal computer or hotspot?

-Gavan

BillP · ‎2021-07-29

Hello Gavan

Many thanks for replying, I have managed to put the software on the work computer.

I have successfully upgraded my AP8653 to version 6.9.6.

I had a lot of troubles with the NMCSecurityWizardCLIUtility.

First of all, version 1.0.1 does not work and throws an unhandled exception like this when trying to import the cert:

NMC Security Wizard Command Line Utility v1.0.1 (c) Copyright 2018 Schneider Electric. All rights reserved. ----------------------------------------------------------------------------- Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3 at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile) at NMCSecurityWizardCLI.Program.Main(String[] args)

In order to successfully import the certificate I had to use version 1.0.0 found here.

After successfully creating the *.p15 cert using the signed cert and private key I tried to import to the NMC2 and the status was stuck at "Loading certificate...."

In the event logs I saw the following

02/19/2021	12:57:55	System	SSL: Certificate generation complete.
02/19/2021	12:56:30	System	SSL: Certificate generation started.
02/19/2021	12:56:29	System	SSL Error: Invalid certificate.

I saw on this forum post, that other people had my problem in earlier versions of AOS but there was no solution other than downgrading.

We are using Microsoft CA and web server template to sign the certificate

Has there ever been a solution? What else can I try in order to successfully import the certificate?

Thanks
Stavros

BillP · ‎2021-07-29

That forum post listed wouldn't have an impact on what you trying to do.

Did you follow the guide attached?

I see that you have also create a ticket for your issues, I'd advise that you upload the unsigned .p15, CSR, cer/crt returned from your CA and the signed .p15 to the case as well as the command used to create it.

-Gavan

BillP · ‎2021-07-29

Hello Gavan

I believe I followed the guide by the letter. It would be good if the error gave a little bit more information.

I have not opened a case myself. I have although asked my reseller about this so he might have opened one

I will try re doing the procedure on a different device with a different version and come back here with the results. Is there anything else I can do?

Regards,
Stavros

BillP · ‎2021-07-29

Hello Gavan!

I have managed to successfully import the SSL certificate to the device!!

After some collaboration with the sysadmin team we found out that the signed certificate needed a special template from the CA that include enhanced key usage

Thank you very much for you help here

Have a lovely weekend

Regards
Stavros