APC Security Advisory - Denial of Service Vulnerability with PowerChute Business Edition

Problem Summary
A non'privileged user could cause a denial of service attack on
PowerChute Business Edition servers and agents, preventing authorized
users from accessing them through the PowerChute Business Edition
console (see 'Affected Products' to find out if your version of
software is affected).

Severity Level
Important

Affected Products
All versions of PowerChute Business Edition between 6.0 and 7.0.1
(inclusive) are affected. See 'Recommendations and workarounds' for
more details on rectifying the problem.

Mitigating Factors
This vulnerability affects the accessibility of PowerChute Business
Edition servers and agents, but does not affect the software's
primary function of gracefully shutting down in the event of a power
related event.

Recommendations and workarounds
Customers should upgrade to version 7.0.2 of PowerChute Business
Edition or patch their existing version of software. Both the full
release and patch can be downloaded directly from APC's website at
http://www.apc.com/tools/download/index.cfm 

Exploitation and Public Announcements
APC is not aware of any malicious use of the vulnerability described
in this advisory. The discovery and documentation of this
vulnerability was conducted by the Qualys Security Research Team.
For more information about the Qualys Security Research Team, visit
their website at http://www.qualys.com 

Status of this notice: ACTIVE
THIS IS AN ACTIVE ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE
ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE
BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE
ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME
MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN
THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR
PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY IS AN UNCONTROLLED
COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.
IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR
EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS
OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE
INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR
TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN
ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE
FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.

Distribution
This bulletin and any future updates will be posted to APC's web
site.

Revisions
Revision 1.0
Initial Public Release

Copyright
This notice is Copyright © 2004 by American Power Conversion
Corporation. This notice may be redistributed freely provided that
redistributed copies are complete and unmodified, and include all
date and version information.