{}

Our Brands

Impact-Company-Logo-English Black-01-177x54

Welcome to the Schneider Electric Website

Welcome to our website.
How can we help you today?
Security Notification: "GHOST" vulnerability (CVE-2015-0235) - impact to APC products
Issue

Does the Linux GHOST vulnerability (CVE-2015-0235) affect APC products?


Product Line
  • StruxureWare Data Center Expert (DCE)
  • StruxureWare Data Center Operation (DCO)
  • NetBotz Appliances
  • APC Network Management Cards
  • APC InfraStruXure Manager
  • APC Digital IP KVM Switches (KVM1116P, KVM2116P, KVM2132P)
  • PowerChute Network Shutdown Virtual Appliance


Environment

Linux/Unix Systems that utilize the GNU C Library (glibc).

Cause

A security problem has been found and patched in the GNU C Library called Glibc. It was announced on 27th January 2015. More information is available via US-CERT and other similar Cyber Security sources.

Resolution

02-FEBRUARY-2015

Information Notice: GHOST Vulnerability

Symptom - On 27-JAN-2015, the GNU C (glibc) Vulnerability, also called the "GHOST" Vulnerability (CVE-2015-0235) was detected and published by several Cyber Security outlets.

Effect - The vulnerability is a buffer overflow in the __nss_hostname_digits_dots() function used by gethostbyname() function calls and it allows arbitrary code execution from unauthenticated users.. It is called the GHOST vulnerability because it can be triggered by calling the gethostbyname() functions.

Detailed Overview (via US-CERT)

The Linux GNU C Library (glibc) versions prior to 2.18 are vulnerable to remote code execution via a vulnerability in the gethostbyname function. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Linux distributions employing glibc-2.18 and later are not affected.

US-CERT recommends users and administrators refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch if affected.



Schneider Electric's IT Business has conducted a vulnerability assessment on the following platforms and found the status of the current shipping versions as follows:
  • StruxureWare Data Center Operation (DCO) v7.4.X is operating a version of Linux which is affected. A patch for this vulnerability is available now at DCIM Support (link) and the vulnerability will be solved with the next release of StruxureWare Data Center Operation.
Resolution: Use the instructions available via DCIM Support (link) to patch DCO.
  • StruxureWare Data Center Expert (DCE) v7.2.6 is currently operating a version of Linux which is affected. All earlier versions are also affected. An hotfix was available through your local tech support, but all necessary fixes are implemented starting with Data Center Expert v7.2.7.  Contact your local technical support to have your software support verified and to be provided with upgrades.
  • NetBotz Appliances do not utilize the GNU C Library and are therefore not affected.
  • All Network Management Card (NMC) Applications do not utilize the GNU C Library and are therefore not affected.
  • All versions of ISX Manager (ISXM) are termed End Of Life, no updates will be made available for this platform.

Cyber Security is an important element of Schneider Electric's commitment to software quality. Regular vulnerability assessment and further investigation is ongoing on other Schneider Electric platforms in addition to the above and will be detailed if discovered. No other APC products or product families are known to be impacted at this time. Any identified additional impacts will be relayed to our customers in a timely manner via an updated disclosure.

Schneider Electric India

Explore more
Range:
Articles that might be helpful Users group

Discuss this topic with experts

Visit our Community for first-hand insights from experts and peers on this topic and more.
Explore more
Range: