-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APC Security Advisory - PowerChute Network Shutdown's Web Interface Only Supports HTTP Problem Summary: PowerChute Network Shutdown's web interface is only accessible via HTTP, which is not a cryptographically secure protocol. User authentication is performed using HTTP 1.1 authentication, therefore passwords are transmitted as base-64 encoded plaintext from the user's browser to the server during login. After successful login all data transmitted between the user's browser and the server is also plaintext. PowerChute Network Shutdown does not have an option to enable cryptographically secure web access. Additionally, PowerChute Network Shutdown allows an unlimited number of login attempts to its web interface without any lockout period or notification. Severity Level Important Affected Products: All versions of PowerChute Network Shutdown. Mitigating Factors: 1. Typically servers with PowerChute Network Shutdown are on a protected corporate LAN and are therefore afforded a minimal level of protection. 2. Many networks utilize Layer 2 and 3 switches that make it more difficult to capture network traffic going between the browser and the server. Recommendations and workarounds: 1. Only log into PowerChute Network Shutdown from http://localhost:3052. Use a browser on the same server that PowerChute Network Shutdown is running to access the web interface. This prevents any traffic from being transmitted onto the network and eliminates the potential for password snooping. 2. Enable a local server firewall rule to block any remote access to TCP port 3052. This can be used in conjunction with number one to prevent the possibility of any remote user accessing PowerChute Network Shutdown. 3. Disable the web interface. Disabling the Web Interface prevents any user from accessing the web interface from anywhere. However, since the web interface of PowerChute Network Shutdown is the only way to view status and logs and make configuration changes, APC does not recommend this option. Search APC's Knowledge Base for this advisory to view instructions on how to disable the PowerChute Network Shutdown web interface. Exploitation and Public Announcements: APC is not aware of any malicious use of the vulnerabilities described in this advisory. The vulnerability described in this advisory was reported by James Gaffney. Status of this notice: ACTIVE THIS IS AN ACTIVE ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY THAT OMITS THE DISTRIBUTION URL IN THE FOLLOWING SECTION IS AN UNCONTROLLED COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS. IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY. Distribution: This bulletin and any future updates will be posted to APC's website. Revisions: Revision 1.0 - Initial public release. References: None. Copyright: This notice is Copyright 2005 by American Power Conversion Corporation. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQ3CYn4SPqbaFzuaMEQLdPgCfTQmI+PMr9oj4atwEkYii7SV3w78AoKgC ShngDnT888NqIBiO0WbVqt8/ =DKcV -----END PGP SIGNATURE-----