PCI security compliance reports PowerChute Network Shutdown version 4.2 is vulnerable to Sweet32 (CVE-2016-2183)
Product Line:
PowerChute Network Shutdown (PCNS) version 4.2
Environment:
All supported OS
Cause:
PCNS 4.2 supports the following ciphers (you can see this by running an SSLScan on port 6547):
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
The DES-CBC3-SHA cipher is the one which is getting flagged by PCI security compliance for CVE-2016-2183
Solution:
Update PCNS 4.2 to the latest version.
Oryou can disable the use of this cipher as follows:
On Windows
1. Stop the PowerChute Network Shutdown service.
You can do this via Administrative Tools/Services or from the command line (Run as administrator) with the following command:
net stop pcns1
2. In the PowerChute Network Shutdown JRE folder located in (C:\Program Files\APC\PowerChute\jre_x64), open the file lib\security\java.security using a text editor.
Go to the line containing the jdk.tls.disabledAlgorithms setting and add DESede to the list of disabled algorithms
e.g. jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DESede, DH keySize < 768
3. Start the PowerChute Network Shutdown service.
You can do this via Administrative Tools/Services or from the command line (Run as administrator) with the following command:
net start pcns1
On Linux1. Stop the PowerChute Network Shutdown service.
You can do this via the terminal window line with the following command:
service PowerChute stop
2. In the PowerChute Network Shutdown JRE folder located in (/opt/APC/PowerChute/jre1.8.0_91), open the file /lib/security/java.security using a text editor.
Go to the line containing the jdk.tls.disabledAlgorithms setting and add DESede to the list of disabled algorithms
e.g. jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DESede, DH keySize < 768
3. Start the PowerChute Network Shutdown service.
You can do this via the terminal window line with the following command:
service PowerChute start