<<< Date Index >>>     <<< Thread Index >>>

APC Security Advisory - PowerChute Network Shutdown's Web Interface Only Supports HTTP



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
APC Security Advisory - PowerChute Network Shutdown's Web Interface
Only Supports HTTP
 
Problem Summary:
PowerChute Network Shutdown's web interface is only accessible via
HTTP, which is not a cryptographically secure protocol.  User
authentication is performed using HTTP 1.1 authentication, therefore
passwords are transmitted as base-64 encoded plaintext from the
user's
browser to the server during login.  After successful login all data
transmitted between the user's browser and the server is also
plaintext.  PowerChute Network Shutdown does not have an option to
enable cryptographically secure web access.  Additionally, PowerChute
Network Shutdown allows an unlimited number of login attempts to its
web interface without any lockout period or notification.
 
Severity Level
Important
 
Affected Products:
All versions of PowerChute Network Shutdown.
 
Mitigating Factors:
1. Typically servers with PowerChute Network Shutdown are on a
protected corporate LAN and are therefore afforded a minimal level of
protection.
 
2. Many networks utilize Layer 2 and 3 switches that make it more
difficult to capture network traffic going between the browser and
the
server.
 
Recommendations and workarounds:
1. Only log into PowerChute Network Shutdown from
http://localhost:3052.
 
Use a browser on the same server that PowerChute Network Shutdown is
running to access the web interface.  This prevents any traffic from
being transmitted onto the network and eliminates the potential for
password snooping.
 
2. Enable a local server firewall rule to block any remote access to
TCP port 3052.
 
This can be used in conjunction with number one to prevent the
possibility of any remote user accessing PowerChute Network Shutdown.
 
3. Disable the web interface.
 
Disabling the Web Interface prevents any user from accessing the web
interface from anywhere.  However, since the web interface of
PowerChute Network Shutdown is the only way to view status and logs
and make configuration changes, APC does not recommend this option.
Search APC's Knowledge Base for this advisory to view instructions
on how to disable the PowerChute Network Shutdown web interface.
 
Exploitation and Public Announcements:
APC is not aware of any malicious use of the vulnerabilities
described
in this advisory.
 
The vulnerability described in this advisory was reported by James
Gaffney.
 
Status of this notice: ACTIVE
 
THIS IS AN ACTIVE ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE
ACCURACY
OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED
TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED
VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE
FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY
UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF
THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE
FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT
INFORMATION OR CONTAIN FACTUAL ERRORS.
 
IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR
EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS
OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE
INFORMATION
CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT
(INCLUDING
NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE
POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF
ESSENTIAL PURPOSE OF ANY REMEDY.
 
Distribution:
This bulletin and any future updates will be posted to APC's website.
 
Revisions:
Revision 1.0 - Initial public release.
 
References:
None.
 
Copyright:
This notice is Copyright 2005 by American Power Conversion
Corporation. This notice may be redistributed freely after the
release
date given at the top of the text, provided that redistributed copies
are complete and unmodified, and include all date and version
information.
 
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
 
iQA/AwUBQ3CYn4SPqbaFzuaMEQLdPgCfTQmI+PMr9oj4atwEkYii7SV3w78AoKgC
ShngDnT888NqIBiO0WbVqt8/
=DKcV
-----END PGP SIGNATURE-----