Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84673members
354017posts

APC PowerChute uses SSL on TCP port 2161?

APC UPS Data Center & Enterprise Solutions Forum

Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.

Solved
Taed_apc
Crewman
Crewman
0 Likes
16
2782

APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 3/19/2008


We are using APC PowerChute Business Edition 7.0.4 on a Windows Server 2003 machine. I ran the QualysGuard security scanner against it, and it reports two "serious" problems with TCP port 2161 used by APC: SSL Server Allows Anonymous Authentication Vulnerability and SSL Server Supports Weak Encryption Vulnerability. These summarize that the scanner was able to connect using SSL and either no encryption (anonymous) or 40-bit encryption.

First, I'm not convinced that this isn't a false positive. Can anyone confirm that APC PowerChute uses SSL to connect between the client and management server (I think that's what port 2161 is for)? I could find nothing via Google or on the APC web site to that effect. Note that I'm just talking about PowerChute with standard APC batteries -- not those fancy ones that do actually have built-in SSL security.

I tried configuring the cyphers on Windows as per various MS Knowledge Base articles to disable all of the ciphers less than 128-bit this way (edited for brevity, though I attached the full file):
-\Registry\Machine\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
--DES 56/56
---Enabled = REG_DWORD 0
--NULL
---Enabled = REG_DWORD 0
--RC2 128/128
---Enabled = REG_DWORD 0xffffffff

I expected that would fix the issue, but it did not -- same issue with it allegedly using NULL / anonymous and 40-bit ciphers.

Did I not change enough registry settings? Does APC PowerChute use its own SSL that isn't affected by those Windows registry keys?

Does anyone have any information about this issue that could help me? (The machine is not allowed on our network unless it passes the security scan.)


Accepted Solutions
BillP
Administrator Administrator
Administrator
0 Likes
0
2782

Re: APC PowerChute uses SSL on TCP port 2161?

This reply was originally posted by Angela on APC forums on 3/25/2009


has anyone confirmed this is happening with the latest PCBE agent version - 8.0.1?

See Answer In Context

16 Replies 16
thezone72_apc
Cadet
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 1/18/2010


I can confirm that 8.01 does not resolve the issue at this point. However, I am working with an APC senior tech.

If we can resolve, I will post the fix...

Erasmus_apc
Sisko
Sisko
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 2/4/2010


Could you please identify the individual you are working with so we can possibly coordinate on our side? Several of our "Senior Technical"-type employees post on these forums. Respond via Private Message by using the message center at the top of the Forum page. Thanks.

morecomplete_apc
Ensign
Ensign
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 7/21/2014


Running v9.0.2.614 and this vulnerability is still showing up. Is there any configuration that can be done to correct this?

BillP
Administrator Administrator
Administrator
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This reply was originally posted by Bill on APC forums on 7/22/2014


Hi,

Please be more specific as to how you are testing and what the results are.

Thanks,

morecomplete_apc
Ensign
Ensign
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 7/22/2014


Testing with NESSUS reveals that the powerchute software allows the use of anonymous SSL ciphers.

I did a search and there have been other threads on this and as far as I can tell no resolution...

BillP
Administrator Administrator
Administrator
0 Likes
0
2782

Re: APC PowerChute uses SSL on TCP port 2161?

This reply was originally posted by Bill on APC forums on 7/22/2014


Hi,

Angela address the anonymous SSL cipher on Mach 18 2009.

"We do accept (rather expect) anonymous authentication for the initial connection, but we immediately issue a challenge for renegotiation using a secure cipher. If the client doesn't meet this challenge and respond back using the appropriate cipher, we kill the connection. There is also yet another custom challenge phase in place after the renegotiation to the secure channel, but that is kind of beyond the point.

In short, we accept the anonymous connection INITIALLY, but we don't stay on it and no real communication can take place until the renegotiation phase is complete."


Hope this alleviates your concern if not you can uninstall the PowerChute Server service and PowerChute Console and just utilize the PowerChute Agent web interface. The communication on port 2161, 2160, 2260 is between the Agent - Server and the Server - Console. The Agent interface utilizes port 6547.


scontrer_apc
Cadet
0 Likes
0
2782

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 3/18/2009


Hello,

I'm facing the same issue.
Were this case elucidated?

Best regards.

BillP
Administrator Administrator
Administrator
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This reply was originally posted by Angela on APC forums on 3/18/2009


Hi everyone

FYI in regards to this concern:

We do accept (rather expect) anonymous authentication for the initial connection, but we immediately issue a challenge for renegotiation using a secure cipher. If the client doesn't meet this challenge and respond back using the appropriate cipher, we kill the connection. There is also yet another custom challenge phase in place after the renegotiation to the secure channel, but that is kind of beyond the point.

In short, we accept the anonymous connection INITIALLY, but we don't stay on it and no real communication can take place until the renegotiation phase is complete.

dz3w5t_apc
Cadet
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 3/25/2009


This is a real problem for me as well. We can't deploy any servers with this app because QualysGaurd reports this vunerability. Is there any known work around?

TheNotoriousKMP_apc
Sisko
Sisko
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 3/20/2008


Let's discuss your setup for a second (as it will buy me some time before getting in the office in the morning to research this....You should hear from me after 930am EST).

Are you using just ONE instance of the Agent? If so, do you really need the server/console portion for notification and a user-friendly GUI? Would you have anything against using just the Agent and configuring the shutdown via port 3052 of its web interface if it were a problem? I'm not saying that there is, I don't posess the knowledge right now to answer that, I'm simply offering an alternate solution that may allow you to have the device on the network.

Taed_apc
Crewman
Crewman
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 3/20/2008


That is an excellent question, but no, we will be eventually be running lots of these. This is just the test system of a planned deployment of 6,500 systems. So, all of those systems will ultimately be remotely managed and monitored.

TheNotoriousKMP_apc
Sisko
Sisko
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 3/20/2008


That brings the next question (and my last one before I retire for the evening). How do you plan to centrally monitor them? 6,500 devices will be a lot of PCBE Deluxe instances. It's also 7 ISX Managers monitoring each agent via SNMP (which would be 7 Managers, plus the cost of 6 1000 node, and 1 500 node lisence key). That's a lot of systems to have to centralize monitor.

Taed_apc
Crewman
Crewman
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 3/20/2008


I don't actually know how they (the site management support group) do it; they just told us that we would be installing APC PowerChute Business Edition on each system. If it's germane, I can find out from them. It's all planned out, though; they currently have the same software running on the old systems in each of the 6,500 stores, so this new system is just an upgrade for that system. (The old system was probably not security-tested at the time, and so likely has the same "problem".)

TheNotoriousKMP_apc
Sisko
Sisko
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 3/20/2008


Taed,

I spoke to one of my software escalation contacts this morning. As of right now, we're pretty sure PCBE uses SSL, however, we can't properly escalate this while you're using 7.0.4. Can you install 7.0.5 and run the scan again to see if the vulnerability continues? If so, at that point I'll have to contact you privately regarding this.

Taed_apc
Crewman
Crewman
0 Likes
0
2780

Re: APC PowerChute uses SSL on TCP port 2161?

This was originally posted on APC forums on 3/20/2008


I installed 7.0.5 and then ran the free version of the same tool at http://www.qualys.com/products/trials/ and I see the same reported security issues.

BillP
Administrator Administrator
Administrator
0 Likes
0
2783

Re: APC PowerChute uses SSL on TCP port 2161?

This reply was originally posted by Angela on APC forums on 3/25/2009


has anyone confirmed this is happening with the latest PCBE agent version - 8.0.1?