NetShelter Rack Power Distribution Units (rPDU)

Affected Revision Levels   Component Version File Network Management Card 3 (NMC3) Operating System and NetShelter RPDU Application 3.0.0.5 Not available for download Secure NMC System (SNS) Tool for RPDU 3.0.0.5 snst_nmc3_rpdu2g_3-0-0-5v2.exe PowerNet® SNMP Management Information Base (MIB) 4.5.2 powernet452.mib Network Management Device IP Configuration Utility 4.0.5 DevIPSetup.exe IMPORTANT:You must have a valid Secure NMC System (SNS) subscription (SWNMC3PDU-•Y-DIGI) for PDU devices to update the firmware to version 3.0 or later. You must use the SNS tool for Rack Power Distribution Units (RPDUs) to upgrade to firmware version 3.0 or later. This is the only supported upgrade method.   New Features   New Feature APC Operating System The NMC3 platform is now IEC-62443-4-2 certified. Support has been added for audit logging to ensure control actions and configuration changes are recorded in the Event log. Support has been added for remote authentication via the TACACS+ protocol. APDU9•••, AP8•••, AP7•••B, and AP71••B Applications None Security Update Password security has been updated to align with the requirements for IEC 62443-4-2.   Fixed Issues   Fixed Issue APC Operating System   Security Update The following security vulnerabilities has been addressed in this release: CWE-74: Improper neutralization of special elements in output used by a downstream component (injection) CWE-79: Improper neutralization of input during web page generation (Cross-site Scripting).   APDU9•••, AP8•••, AP7•••B, and AP71••B Applications General improvements to the help pages of the Web User Interface (Web UI)     Known Issues   Known Issue APC Operating System Certain characters, such as ™ or ©, will not be generated correctly when downloading a config.ini file via genini.htm. If a file with invalid content generated by this issue is uploaded back to the NMC, the lines with invalid content will be rejected and appropriate events will be logged. APDU9•••, AP8•••, AP7•••B, and AP71••B Applications Synchronized outlet groups do not function when enabled over the network. They do function when enabled locally or when enabled through the In/Out ports. The Reset RPDU to Defaults action also resets the system settings. APDU9••• and AP8••• Applications The Network Port Sharing (NPS) system does not update connected units if one of the following occurred: The upgrade file was uploaded via SCP without the original filename. The host device was reset to factory defaults. APDU9••• Application It is possible to configure a PDU without a network connection as an NPS host if that PDU has been configured with a static IP address. If one or more members of your NPS group have static IP addresses and you want to manually change the NPS host, ensure the new host has a network connection before changing the host. When using certain tools (including the MIB Browser) as an SNMP interface to set string configurations on the device, be aware that strings starting with the “#” character may be reserved for special syntax by your interface tool. These strings will be interpreted as colon-separated decimal representations of ASCII character codes and will be stored as such by the Network Management Card. For example, setting #80:68:85 will result in the string “PDU being configured on the NMC.” If values configured in this way are not valid strings (e.g. “#1”), the OID for that value may stop responding to get and set requests. To fix this OID behavior, overwrite the invalid configuration with a valid string via any non-SNMP interface. The Rack PDU will not warn the user when they have connected too many guest devices to the NPS group. Up to 31 guest devices can be connected to an NPS group. It may take 30 minutes or more to apply a comprehensive config.ini file to an NPS group. If the clearing method for an outlet alarm action is set to Auto, outlets are automatically set to the non-action state when an alarm clears, regardless of what state they were in before the alarm. For example, if the alarm action is Off, the outlets are turned on when the alarm clears. This happens even if the outlets were off before the alarm started.   Hash Signatures   Signatures snst_nmc3_rpdu2g_3-0-0-5v2.exe MD5 Hash 76B2A54E4CE12450C5DE0A2A269F1546 SHA-1 AA30B26035B40E4CD9E8DF72F9F50A536CFDEDEF SHA-256 84E438D7977EFA5FA8E23F84F78A5F29B1F452867DE0C892D5D75273AEAFCBA6

Affected Revision Levels   Component Version File Network Management Card 3 (NMC3) Operating System and NetShelter RPDU Application 3.1.1.4 Not available for download Secure NMC System (SNS) Tool for RPDU 3.1.1.4 snst_2.0.0.2_nmc3_rpdu2g_3-1-1-4.exe PowerNet® SNMP Management Information Base (MIB) 4.5.2 powernet452.mib Network Management Device IP Configuration Utility 4.0.5 DevIPSetup.exe IMPORTANT: You must have a valid Secure NMC System (SNS) subscription (SWNMC3PDU-•Y-DIGI) for PDU devices to update the firmware to version 3.0 or later. You must use the SNS tool for Rack Power Distribution Units (RPDUs) to upgrade to firmware version 3.0 or later. This is the only supported upgrade method.   New Features   New Feature APC Operating System Support added for user authentication via Lightweight Directory Access Protocol (LDAP). Support added for TLS 1.3. Support added for SNMPv3 encryption via the SHA 256 and AES 256 protocols. APDU9•••, AP8•••, AP7•••B, and AP71••B Applications Modbus TCP Support. The Rack PDU properties, configuration and status can be queried via Modbus TCP. Modbus TCP can be enabled through CLI modbus command or Rack PDU web page Configuration ⇒ Network ⇒ Modbus ⇒TCP The Modbus register map file can be downloaded from https://www.se.com/us/en/download/document/TME45037/   Fixed Issues   Fixed Issue APC Operating System Link-RX/TX LED is now working for all embedded NMC3s. Dates in SNMP, such as upsAdvIdentDateOfManufacture, are now available in the correct format, mm/dd/yyyy. The audit log of the Web UI is displayed in all supported languages. APDU9•••, AP8•••, AP7•••B, and AP71••B Applications None Security Updates The following security vulnerabilities have been addressed in this release:   CWE-327: Use of a Broken or Risky Cryptographic Algorithm. This software uses a broken or risky cryptographic algorithm or protocol. Removed support in SSH for diffie-hellman-group14-sha1. CWE-598: Use of GET Request Method with Sensitive Query Strings. This software uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. Configuration of HSTS is now independent from HTTP or HTTPS configuration. When HSTS is enabled, an STS header is added to all responses over HTTPS. CWE-307: Improper Restriction of Excessive Authentication Attempts. This software does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks. The account now gets locked after bad login attempts. CWE-523: Unprotected Transport of Credentials. Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. CWE-319: Cleartext Transmission of Sensitive Information. The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. The user is now referred as an index rather than the user name NMC/KrtUvuh39YtQmHbyua297g/usercfg.htm?user=2. CWE-200: Exposure of Sensitive Information to An Unauthorized Actor SSH Cipher Block Chaining (CBC) cipher has been removed. CWE-74: Improper neutralization of special elements in output used bya downstream component (Injection) CWE-79: Improper neutralization of input during web page generation (Cross-site Scripting).     Known Issues   Known Issue APC Operating System Certain characters, such as ™ or ©, will not be generated correctly when downloading a config.ini file via genini.htm. If a file with invalid content generated by this issue is uploaded back to the NMC, the lines with invalid content will be rejected and appropriate events will be logged. APDU9•••, AP8•••, AP7•••B, and AP71••B Applications Synchronized outlet groups do not function when enabled over the network. They do function when enabled locally or when enabled through the In/Out ports. The Reset RPDU to Defaults action also resets the system settings. APDU9••• and AP8••• Applications The Network Port Sharing (NPS) system does not update connected units if one of the following occurred: The upgrade file was uploaded via SCP without the original filename. The host device was reset to factory defaults. APDU9••• Application It is possible to configure a PDU without a network connection as an NPS host if that PDU has been configured with a static IP address. If one or more members of your NPS group have static IP addresses and you want to manually change the NPS host, ensure the new host has a network connection before changing the host. When using certain tools (including the MIB Browser) as an SNMP interface to set string configurations on the device, be aware that strings starting with the “#” character may be reserved for special syntax by your interface tool. These strings will be interpreted as colon-separated decimal representations of ASCII character codes and will be stored as such by the Network Management Card. For example, setting #80:68:85 will result in the string “PDU being configured on the NMC.” If values configured in this way are not valid strings (e.g. “#1”), the OID for that value may stop responding to get and set requests. To fix this OID behavior, overwrite the invalid configuration with a valid string via any non-SNMP interface. The Rack PDU will not warn the user when they have connected too many guest devices to the NPS group. Up to 31 guest devices can be connected to an NPS group. It may take 30 minutes or more to apply a comprehensive config.ini file to an NPS group. If the clearing method for an outlet alarm action is set to Auto, outlets are automatically set to the non-action state when an alarm clears, regardless of what state they were in before the alarm. For example, if the alarm action is Off, the outlets are turned on when the alarm clears. This happens even if the outlets were off before the alarm started.   Hash Signatures   Signatures snst_2.0.0.2_nmc3_rpdu2g_3-1-1-4.exe MD5 Hash 07a970ba5de445f3fe955274cad8a435 SHA-1 77ba6fbbcadebb418f720324d252a44ef5de780e SHA-256 c950e0d2859012cf927ec8b791b32d9d2fef507e1a7fc1e7feb5a73478f3a169

Affected Revision Levels   Component Version File Network Management Card 3 (NMC3) Operating System and NetShelter RPDU Application AOS: 2.5.3.2 APP: 2.5.2.5 apc_hw21_rpdu2g_2-5-2-5.nmc3 Secure NMC System (SNS) Tool for RPDU Not applicable Not applicable PowerNet® SNMP Management Information Base (MIB) 4.5.6 powernet456.mib IMPORTANT: You must have a valid Secure NMC System (SNS) subscription (SWNMC3PDU-•Y-DIGI) for PDU devices to update the firmware to version 3.0 or later. You must use the SNS tool for Rack Power Distribution Units (RPDUs) to upgrade to firmware version 3.0 or later. This is the only supported upgrade method.   New Features   New Feature APC Operating System None APDU9•••, AP8•••, AP7•••B, and AP71••B Applications The LCD displays the Alarm Status to show the details of all the alarms present in the device.   Fixed Issues   Fixed Issue APC Operating System Downloading the Event Log via the Web UI works as expected when the language is set to Japanese. APDU9•••, AP8•••, AP7•••B, and AP71••B Applications If the slave ID is unavailable, Modbus will display the error message Slave Device Failure for the register addresses. Modbus will display a value of -1 for the Peak Temperature Capture Time if the T/TH sensor is not connected to the device. Modbus can read values for the Outlet Layout Description even if the T/TH sensor is not connected to the device. No Invalid Value error message appears for the TH/T sensor when the config.ini file is uploaded. If a sensor is not connected to the device, none of the interfaces will display any parameter values. Invalid threshold values for the Temperature and Humidity parameters are not permitted. If an invalid value is set for the wait parameter in the cold start delay, the Immediate and Never options in the device configuration will remain inactive. The Bank and Phrase current thresholds now support decimal values to the tenth place. This feature is available in the web UI, CLI, SNMP and the config.ini file. New OIDs have been added to accommodate this change in the SNMP interfaces. The Range value (1-99) for Network-LED blink duration is specified on the NMC web page. Security Update APC Operating System   The following security vulnerabilities have been addressed in this release: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor SSH Cipher Block Chaining (CBC) cipher has been removed. CWE-523: Unprotected Transport of Credentials. Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. CWE-319: Cleartext Transmission of Sensitive Information. The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. The user is now referenced as an index rather than their username, for example: NMC/KrtUvuh39YtQmHbyua297g/usercfg.htm?user=2 CWE-863: Incorrect Authorization The Network-Only user can only perform actions in the Web UI relevant to the user access level. CWE-20: Improper Input Validation Incoming BACnet packet sizes are now validated. CWE-598: Use of GET Request Method With Sensitive Query Strings. This software uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. Configuration of HSTS is now independent from HTTP or HTTPS configuration. When HSTS is enabled an STS header is added to all responses over HTTPS.       Known Issues   Known Issue APC Operating System None APDU9•••, AP8•••, AP7•••B, and AP71••B Applications None   Hash Signatures   Signatures apc_hw21_rpdu2g_2-5-2-5.nmc3 MD5 Hash ab15bc39c0fefc5e32d60d1b202ec55e SHA-1 7f0d9f556adcda8fc857069a05164e9ec92520b0 SHA-256 aea4d0d7face6d39f2168916bb0508e5ba9dcfcf3a912ebcbc19c73ecb12c78c