VDB

SEVD-2020-174-01

SEVD-2020-174-01 PUBLISHED

Schneider Electric became aware of multiple vulnerabilities affecting Treck Inc.'s embedded TCP/IP stack, collectively known as Ripple20, which Treck publicly disclosed on June 16, 2020. Schneider Electric is also aware of a proof of concept published by JSOF that demonstrates how one of the Treck vulnerabilities, CVE-2020-11901, can be exploited to affect a Schneider Electric APC SmartUPS device using certain Network Management Card firmware versions. On October 12, 2020, Schneider Electric received additional information and analysis from JSOF related to CVE-2020-11901’s impact on APC by Schneider Electric Network Management Cards and NMC embedded devices. This new analysis indicates that the information we originally received was incomplete. Therefore our original remediations are only partially effective for CVE-2020-11901. We are expediting updated remediations, which will be made available as soon as possible. In the meantime, customers should immediately apply the mitigations included in Remediation & Mitigations section of this document. June 2021 Update: Added remediations for Uninterruptible Power Supply (UPS), Rack Power Distribution Units (rPDU), Battery Management, Rack Automatic Transfer Switch (ATS), Rack Air Removal Unit (RARU) using NMC1, as well as all other remaining NMC1 applications.

Affected Products

VendorProductVersions
Schneider Electric Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9630/AP9630CH/AP9630J NMC2 AOS V6.9.4 and earlier
Schneider Electric Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9619 (discontinued in Sep 2012) Smart-UPS NMC1 v3.9.2 and earlier
Schneider Electric Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9635/AP9635CH NMC2 AOS V6.9.4 and earlier
Schneider Electric Uninterruptible Power Supply (UPS) using NMC3 Network Management Card 3 (NMC3) SmartSlot card models: AP9641/AP9641J NMC3 AOS V1.3.0.6 and earlier
Schneider Electric Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9618 (discontinued in Jan 2017) Smart-UPS NMC1 v3.9.2 and earlier
Schneider Electric Uninterruptable Power Supply (UPS) using NMC1 - SUMX Smart-UPS models embedded with NMC1 Smart-UPS NMC1 v3.9.2 and earlier
Schneider Electric APC 3-Phase Power Distribution Products: Modular PDU/RPP (XRDP2G) NMC2 AOS V6.9.4 and earlier
Schneider Electric Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9631/AP9631CH/AP9631J NMC2 AOS V6.9.4 and earlier
Schneider Electric APC Rack Power Distribution Units (rPDU) Embedded NMC1: Metered/Switched Rack PDUs with embedded NMC1 - AP78XX, AP79XX NMC1 AOS V3.9.2 and earlier
Schneider Electric Rack Automatic Transfer Switches (ATS) Embedded NMC2: - Rack Automatic Transfer Switches - AP44XX NMC2 AOS V6.8.8 and earlier
Schneider Electric APC 3-Phase Power Distribution Products: 400 and 500 kVA PMM (PMM) NMC2 AOS V6.9.4 and earlier
Schneider Electric Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9617 (discontinued in Nov 2011) Smart-UPS NMC1 v3.9.2 and earlier
Schneider Electric Rack Automatic Transfer Switches (ATS) Embedded NMC1: - Rack Automatic Transfer Switches - AP77XX NMC1 AOS v3.9.2 and earlier
Schneider Electric APC 3-Phase Power Distribution Products: InfraStruXure 150kVA PDU with 84 poles (X84P) NMC2 AOS V6.9.4 and earlier
Schneider Electric APC 3-Phase Power Distribution Products: InfraStruXure 40 and 60 kVA PDU (XPDU) NMC2 AOS V6.9.4 and earlier
Schneider Electric APC Rack Power Distribution Units (rPDU) Embedded NMC2: 2G Metered/Switched Rack PDUs with embedded NMC2 NMC2 AOS V6.9.4 and earlier
Schneider Electric APC 3-Phase Power Distribution Products: Modular 150 and 175 kVA PDU NAM (XRDP) NMC2 AOS V6.9.4 and earlier
Schneider Electric Battery Management Embedded NMC2 - Battery Manager - AP9922 NMC2 AOS V6.9.4 and earlier
Schneider Electric Uninterruptible Power Supply (UPS) using NMC3 Network Management Card 3 (NMC3) SmartSlot card models: AP9640/AP9640J NMC3 AOS V1.3.0.6 and earlier
Schneider Electric APC Rack Power Distribution Units (rPDU) Embedded NMC2: AP84XX, AP86XX, AP88XX, AP89XX NMC2 AOS V6.9.4 and earlier

Timeline

  • Jun 22, 2020 CVE Published
  • Jun 30, 2021 CVE Updated

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›