APC PowerChute uses SSL on TCP port 2161?

Taed_apc · ‎2021-07-26

We are using APC PowerChute Business Edition 7.0.4 on a Windows Server 2003 machine. I ran the QualysGuard security scanner against it, and it reports two "serious" problems with TCP port 2161 used by APC: SSL Server Allows Anonymous Authentication Vulnerability and SSL Server Supports Weak Encryption Vulnerability. These summarize that the scanner was able to connect using SSL and either no encryption (anonymous) or 40-bit encryption.

First, I'm not convinced that this isn't a false positive. Can anyone confirm that APC PowerChute uses SSL to connect between the client and management server (I think that's what port 2161 is for)? I could find nothing via Google or on the APC web site to that effect. Note that I'm just talking about PowerChute with standard APC batteries -- not those fancy ones that do actually have built-in SSL security.

I tried configuring the cyphers on Windows as per various MS Knowledge Base articles to disable all of the ciphers less than 128-bit this way (edited for brevity, though I attached the full file):
-\Registry\Machine\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
--DES 56/56
---Enabled = REG_DWORD 0
--NULL
---Enabled = REG_DWORD 0
--RC2 128/128
---Enabled = REG_DWORD 0xffffffff

I expected that would fix the issue, but it did not -- same issue with it allegedly using NULL / anonymous and 40-bit ciphers.

Did I not change enough registry settings? Does APC PowerChute use its own SSL that isn't affected by those Windows registry keys?

Does anyone have any information about this issue that could help me? (The machine is not allowed on our network unless it passes the security scan.)

BillP · ‎2021-07-26

has anyone confirmed this is happening with the latest PCBE agent version - 8.0.1?

See Answer In Context

thezone72_apc · ‎2021-07-26

I can confirm that 8.01 does not resolve the issue at this point. However, I am working with an APC senior tech.

If we can resolve, I will post the fix...

Erasmus_apc · ‎2021-07-26

Could you please identify the individual you are working with so we can possibly coordinate on our side? Several of our "Senior Technical"-type employees post on these forums. Respond via Private Message by using the message center at the top of the Forum page. Thanks.

morecomplete_apc · ‎2021-07-26

Running v9.0.2.614 and this vulnerability is still showing up. Is there any configuration that can be done to correct this?

BillP · ‎2021-07-26

Hi,

Please be more specific as to how you are testing and what the results are.

Thanks,

morecomplete_apc · ‎2021-07-26

Testing with NESSUS reveals that the powerchute software allows the use of anonymous SSL ciphers.

I did a search and there have been other threads on this and as far as I can tell no resolution...

BillP · ‎2021-07-26

Hi,

Angela address the anonymous SSL cipher on Mach 18 2009.

"We do accept (rather expect) anonymous authentication for the initial connection, but we immediately issue a challenge for renegotiation using a secure cipher. If the client doesn't meet this challenge and respond back using the appropriate cipher, we kill the connection. There is also yet another custom challenge phase in place after the renegotiation to the secure channel, but that is kind of beyond the point.

In short, we accept the anonymous connection INITIALLY, but we don't stay on it and no real communication can take place until the renegotiation phase is complete."

Hope this alleviates your concern if not you can uninstall the PowerChute Server service and PowerChute Console and just utilize the PowerChute Agent web interface. The communication on port 2161, 2160, 2260 is between the Agent - Server and the Server - Console. The Agent interface utilizes port 6547.

scontrer_apc · ‎2021-07-26

Hello,

I'm facing the same issue.
Were this case elucidated?

Best regards.

BillP · ‎2021-07-26

Hi everyone

FYI in regards to this concern:

We do accept (rather expect) anonymous authentication for the initial connection, but we immediately issue a challenge for renegotiation using a secure cipher. If the client doesn't meet this challenge and respond back using the appropriate cipher, we kill the connection. There is also yet another custom challenge phase in place after the renegotiation to the secure channel, but that is kind of beyond the point.

In short, we accept the anonymous connection INITIALLY, but we don't stay on it and no real communication can take place until the renegotiation phase is complete.

dz3w5t_apc · ‎2021-07-26

This is a real problem for me as well. We can't deploy any servers with this app because QualysGaurd reports this vunerability. Is there any known work around?

TheNotoriousKMP_apc · ‎2021-07-26

Let's discuss your setup for a second (as it will buy me some time before getting in the office in the morning to research this....You should hear from me after 930am EST).

Are you using just ONE instance of the Agent? If so, do you really need the server/console portion for notification and a user-friendly GUI? Would you have anything against using just the Agent and configuring the shutdown via port 3052 of its web interface if it were a problem? I'm not saying that there is, I don't posess the knowledge right now to answer that, I'm simply offering an alternate solution that may allow you to have the device on the network.

Taed_apc · ‎2021-07-26

That is an excellent question, but no, we will be eventually be running lots of these. This is just the test system of a planned deployment of 6,500 systems. So, all of those systems will ultimately be remotely managed and monitored.

TheNotoriousKMP_apc · ‎2021-07-26

That brings the next question (and my last one before I retire for the evening). How do you plan to centrally monitor them? 6,500 devices will be a lot of PCBE Deluxe instances. It's also 7 ISX Managers monitoring each agent via SNMP (which would be 7 Managers, plus the cost of 6 1000 node, and 1 500 node lisence key). That's a lot of systems to have to centralize monitor.

Taed_apc · ‎2021-07-26

I don't actually know how they (the site management support group) do it; they just told us that we would be installing APC PowerChute Business Edition on each system. If it's germane, I can find out from them. It's all planned out, though; they currently have the same software running on the old systems in each of the 6,500 stores, so this new system is just an upgrade for that system. (The old system was probably not security-tested at the time, and so likely has the same "problem".)

TheNotoriousKMP_apc · ‎2021-07-26

Taed,

I spoke to one of my software escalation contacts this morning. As of right now, we're pretty sure PCBE uses SSL, however, we can't properly escalate this while you're using 7.0.4. Can you install 7.0.5 and run the scan again to see if the vulnerability continues? If so, at that point I'll have to contact you privately regarding this.

Taed_apc · ‎2021-07-26

I installed 7.0.5 and then ran the free version of the same tool at http://www.qualys.com/products/trials/ and I see the same reported security issues.

BillP · ‎2021-07-26

has anyone confirmed this is happening with the latest PCBE agent version - 8.0.1?