Re: Fw: APC 9606 SmartSlot Web/SNMP management card "backdoor" - MORE PROBLEMS

[Keith Clifton <clifton () zoomnet net>]

The fix is already released.  I'm testing it on a 9211 Masterswitch with a
AP9606 web management card.  So far so good.

http://www.apcc.com/tools/download/

I went to "Update patch for APC MasterSwitch" on that page.  Then I
grabbed both files.

First, you ftp into your Masterswitch.  Using binary transfer, I upload
the AOS file.  After the transfer completed, the unit rebooted on its
own.  After about 10 or 15 seconds, I ftp'ed into the Masterswitch again,
and uploaded the APP file using binary transfer.  This has to be done in
order according to APC's tech's.

This information doesn't appear to be anywhere on apc.com.  I had to get
this information from an APC tech rep by calling their 800 number.

-- Keith

On Tue, 17 Feb 2004, James Green wrote:

> On Tuesday 17 Feb 2004 6:23 pm, thiago.vazquez () light com br wrote:
> > We have many products from APC and we've tested that vulnerability in some
> > of them and ..... following are the results.
>
> [ snip ]
>
> According to a Matias Kvaternik at APC (US) today, the bug was discovered 
> after the AP9606 was discontinued (we bought some less than one year ago), 
> and the engineering team has "no fix in the pipeline". He advises us to 
> switch off telnet access.
>
> I would imagine most APC products are installed to last for a good three to 
> six years - upgrading power hardware is probably about as practical as 
> upgrading a load of networking equipment. I'm surprised, indeed disappointed, 
> that APC doesn't appear to provide critical security fixes for these 
> discontinued products; although I do only speak from very limited experience 
> of APC.
>
>
> James Green