Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84861members
354342posts

NetBotz 200 Firmware

EcoStruxure IT forum

A support forum for Data Center Operation, Data Center Expert, and EcoStruxure IT product users to share knowledge on installation, configuration, and general product use.

DCIM_Support
Picard
Picard
0 Likes
12
686

NetBotz 200 Firmware

This question was originally posted on DCIM Support by uob-networks on 2016-11-15


I appreciate the hardware is a bit long in the tooth these days but the features in the NetBotz 200 Firmware are woefully out of date. From ten minutes with a device today I have found:

 

SSH server issues - impossible to administer from a recent version of PuTTY (the defacto Windows SSH client IMO): APC are already aware of this, see http://www.apc.com/us/en/faqs/FA242581/
 
Also when using the OpenSSH command line client, you have to specifically add "KexAlgorithms=+diffie-hellman-group1-sha1" to enable the particular insecure key exchange that the device uses.

Poor SSL support - following recent changes made to browsers in light of POODLE, RC4 etc, you can now no longer administer the devices via HTTPS (actually I think you can from IE11 with a ton of warnings but that's it). 

Poor SNMP support - SNMPv3 is there, but only using MD5 and DES!

 

This hardware desperately needs a firmware update to support modern encryption. To get the device usable with current software it can really only be administered in plain text, via telnet and HTTP. This makes it completely unsuitable for an enterprise environment.

Is there any intention to develop a firmware update as the linked FAQ article suggests? Or are these devices now deemed useless and all need replacing?

 

Some further info, here is nmap output from an SSL scan of the device with only 3DES enabled in the SSL configuration:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-15 11:11 GMT Standard Time

Nmap scan report for xxxxxx (xx.xx.xx.xx)

Host is up (0.0051s latency).

Not shown: 997 closed ports

PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp open https

| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| compressors:
|
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| CBC-mode cipher in SSLv3 (CVE-2014-3566)
| Weak certificate signature: SHA1
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024) - D
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024) - A
| compressors:
|
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| Weak certificate signature: SHA1
|_ least strength: D

Nmap done: 1 IP address (1 host up) scanned in 23.92 seconds


Interesting to note that the device is actually offering AES128 and AES256, which are not selectable ciphers in the web interface. However you cannot uncheck 3DES in the interface (web or cli) so the device will always offer it. Also, the device does support TLS 1.0 but still runs SSL 3.0 as well, leaving it vulnerable to downgrade attacks. As well as this, the device is using CBC ciphers and the self-signed certificate is weak (SHA-1) but that is not surprising given the age of the device. This could be resolved if APC made information available about certificate formats... PKCS12 certainly doesn't work!


Here is the nmap output from an SSH scan with ssh v1 and v2 enabled, blowfish enabled for ssh v1 and 2des, aes128 and aes256 enabled for ssh v2.


 

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-15 11:28 GMT Standard Time
Nmap scan report for xxxx (xx.xx.xx.xx)
Host is up (0.0054s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (1)
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (1)
| ssh-rsa
| encryption_algorithms: (3)
| aes128-cbc
| aes256-cbc
| 3des-cbc
| mac_algorithms: (2)
| hmac-sha1
| hmac-md5
| compression_algorithms: (1)
|_ none
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 9.73 seconds

 

You can see that the only supported key exchange algorithm is diffie-hellman-group1-sha1 which is unsuitable due to a weak DH group (group1 and group14 are no use). Note we can disable 3DES here, but it doesn't help as it has no influence on the key exchange. Note that this is on SSHv2.

(CID:110005386)

Tags (1)
12 Replies 12
DCIM_Support
Picard
Picard
0 Likes
0
686

Re: NetBotz 200 Firmware

This comment was originally posted on DCIM Support by uob-networks on 2016-11-15


Also, DNS does not seem to work properly on these devices with the boot type set to DHCP. They get the correct settings, but cannot resolve anything. Setting the device to BOOTP appears to resolve this, even though we do not have a BOOTP server and they are either still getting their IP information from the DHCP reservation or they have retained their old settings and are continuing to use them.

(CID:110005464)

DCIM_Support
Picard
Picard
0 Likes
4
686

Re: NetBotz 200 Firmware

This answer was originally posted on DCIM Support by Angela Clark on 2016-11-15


Hello,

Unfortunately, I don't believe the NetBotz 200 will be updated much moving forward as far as bug fixes or feature upgrades. We just released the NetBotz 250 (a new hardware appliance using our Network Management Card 2 platform) to replace the 200 which should resolve all of these issues you've noted. I can understand that a hardware upgrade is not necessarily what you're looking for, as opposed to a firmware upgrade, but that is what we have available as a solution today and right now.

The SSH and SSL issues are resolved on the Network Management Card 2 platform and unfortunately the hardware limitations of the Network Management Card 1 (what is inside the 200) cannot currently support this advanced encryption as it stands now (though I think someone is trying to get it to work for existing customers). 

The DNS issue I believe I logged as a bug and we made a knowledge base -> http://www.apc.com/us/en/faqs/FA293833

Let me know if you have any questions on this information.

 

(CID:110005471)

DCIM_Support
Picard
Picard
0 Likes
0
686

Re: NetBotz 200 Firmware

This comment was originally posted on DCIM Support by uob-networks on 2016-11-15


Hi Angela, Thanks for the speedy response. I had a feeling that might be your answer! It's not brilliant considering one of these devices was manufactured in 2012 and some of the relevant security issues/CVEs surrounding this firmware are from 2014 but I guess we are stuck with just scrapping these devices. For what it's worth we do have some devices based on the NMC2 platform and they do work just fine. I doubt we will be replacing the NetBotz 200 units we have with NetBotz 250s.

(CID:110005477)

DCIM_Support
Picard
Picard
0 Likes
0
686

Re: NetBotz 200 Firmware

This comment was originally posted on DCIM Support by Angela Clark on 2016-11-15


Sorry to hear! I understand where you're coming from though and I can't argue. I am on our offer quality team and have echo'd some of these same complaints but the NMC1 hardware is a bottle neck on some of that. I bet they could probably fix the DHCP/DNS thing without issue and as I mentioned, it is logged as a bug. We are still holding out hope we can somehow get TLS 1.2 working at least on NMC1 but the investigation is still ongoing to see if the hardware can somehow support it. I think NetBotz 200 was released in 2008 or 2009 when NMC2 hardware still wasn't released as it came out early 2009. :'(

(CID:110005480)

DCIM_Support
Picard
Picard
0 Likes
0
686

Re: NetBotz 200 Firmware

This comment was originally posted on DCIM Support by uob-networks on 2016-11-15


TBH removing SSLv3 and updating the SSL encryption page to allow the removal of 3DES (and maybe adding checkboxes for AES-128 and AES-256 as the device clearly supports them) would be a great step. It's a shame you can't see from those FAQ entries how long a bug has been open for! It would give some idea of whether they were being looked into or whether it's stagnant. I have not really had a great experience getting our own SSL certificate onto the devices to replace the self signed SHA-1 either, due to your use of PKCS15. Do the newer devices still use this certificate format (necessitating the use of your own certificate tool)?

(CID:110005482)

DCIM_Support
Picard
Picard
0 Likes
0
686

Re: NetBotz 200 Firmware

This comment was originally posted on DCIM Support by Angela Clark on 2016-11-15


I think we originally left SSLv3 there for legacy purposes but I am not 100% sure. It is probably time we can remove it and I think if they get TLS 1.2 working, it will likely go away or the user can choose to disable it. I asked for the checkboxes for many years now but it requires a cryptography library upgrade to support the checkboxes (as it did on NMC2 as well). Hence, what they are trying to do now in order to get TLS 1.2 going as well. That bug has been logged for a little time now but I can probably try to push it. The problem is, then the NetBotz 200 team would need to release a new package with the new AOS and I don't think that is going to happen as I mentioned. Though, we could maybe get a "beta" with it fixed... The SSL cert stuff I have also closely worked on. Yes, NMC2 still works identically to NMC1 in this regards - still need to use security wizard and convert to .p15. I see the most issues with Microsoft CAs and also OpenSSL which I have set up Server 2008/2012 with the AD Cert Services myself and replicated problems. On NMC2, I have dug into this in depth and found some firmwares where this works and others where it does not for both SHA-1 and SHA-256. If you can share what CA you're using and what AOS revision levels your devices have, I can probably confirm/deny these details with you and what I know. If you would like to work offline on these details too and would like to be a beta user with some of the changes we plan to make to get this stuff working early next year, we can do that too as well. I understand though you may not want to waste your own time testing our stuff which you shouldn't have to but it'd be appreciated by me personally if you're willing to.

(CID:110005483)

DCIM_Support
Picard
Picard
0 Likes
4
686

Re: NetBotz 200 Firmware

This answer was originally posted on DCIM Support by Samuel Jesson on 2016-12-16


That's a bizarre response given that the NetBotz 200 is still a selling and shipped unit, we bought two of them through APC Distributor on 28th of September of 2016.

Normally if you replace hardware with a new model you cease selling the old one and even then you still support the old model for a period for those that bought the previous version.

Again, bizarre product management.

(CID:110008798)

DCIM_Support
Picard
Picard
0 Likes
0
687

Re: NetBotz 200 Firmware

This comment was originally posted on DCIM Support by Angela Clark on 2016-12-16


Hi Samuel, we don't want to leave any customer hanging or frustrated and will continue to support the 200's customers in whatever way possible.

Specific to your case, since you bought these right around when the 250 was released, I was wondering if depending on where you bought it, what region you're in, etc if we could somehow get you upgraded to 250s. If you are interested in working on this further with me to see if we are able to check into making this happen, please let me know.

While I am not the product manager, I do support the NetBotz products from a quality perspective.

(CID:110008951)

DCIM_Support
Picard
Picard
0 Likes
0
687

Re: NetBotz 200 Firmware

This comment was originally posted on DCIM Support by Samuel Jesson on 2016-12-16


Thank you for the quick response Angela. I'd definitely like to pursue your offer and see if it would be possible to trade-in(up) to the 250's.

We're in New Zealand and the units where purchased through Ingram Micro via Vikas John Chakranarayan the Schneider APC National Market Development Manager.

The 200's, a number of 150 Sensor Pods and dry contact sensors were purchased as a Pilot for our core DataCenter. We have three more DataCenter's to fit with this equipment so any future units will be 250's but having all four with the same kit would be beneficial to us.

So far our pilot has only implemented one of the two NetBotz 200's so the other is still in box if that helps at all.

(CID:110009014)

DCIM_Support
Picard
Picard
0 Likes
0
687

Re: NetBotz 200 Firmware

This comment was originally posted on DCIM Support by cunningham on 2017-11-15


I have also purchased 3 netbotz 200's for a project at the end of last year and am finally getting around to trying to install them. Opened one and the moisture sensor doesn't show as plugged in. Trying to find a new firmware and no luck.  For another project we ordered 5 more and were shipped the 250's which are much nicer. Wish there was some way to trade out the two unopened 200's and the opened one.

(CID:126177210)

DCIM_Support
Picard
Picard
0 Likes
0
687

Re: NetBotz 200 Firmware

This comment was originally posted on DCIM Support by Angela Clark on 2017-11-15


Hi, I don't believe the 200 supports a moisture (leak sensor (but the 250 does). That may explain why it is not working..

Either way, depending on your region, who you order through, we may be able to find out if we can get you some 250s instead through trade in. Have you tried to contact your sales person to contact the APC/Schneider sales to see if this is possible?

(CID:126177220)

DCIM_Support
Picard
Picard
0 Likes
0
687

🔒 Closed

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.