SEVD-2020-174-01
Vulnerability from csaf_se - Published: 2020-06-22 00:00 - Updated: 2021-06-30 00:00Summary
APC by Schneider Electric Network Management Cards (NMC) and NMC Embedded Devices
Notes
General Security Recommendations
We strongly recommend the following industry cybersecurity best practices.
https://www.se.com/us/en/download/document/7EN52-0390/
* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
* Place all controllers in locked cabinets and never leave them in the “Program” mode.
* Never connect programming software to any network other than the network intended for that device.
* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
For More Information
This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.
For further information related to cybersecurity in Schneider Electric’s products, visit the company’s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp
LEGAL DISCLAIMER
THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS “NOTIFICATION”) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION
About Schneider Electric
At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.
We provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.
We are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.
www.se.com
Overview
Schneider Electric became aware of multiple vulnerabilities affecting Treck Inc.'s embedded TCP/IP
stack, collectively known as Ripple20, which Treck publicly disclosed on June 16, 2020. Schneider
Electric is also aware of a proof of concept published by JSOF that demonstrates how one of the
Treck vulnerabilities, CVE-2020-11901, can be exploited to affect a Schneider Electric APC SmartUPS device using certain Network Management Card firmware versions.
On October 12, 2020, Schneider Electric received additional information and analysis from JSOF
related to CVE-2020-11901’s impact on APC by Schneider Electric Network Management Cards and
NMC embedded devices. This new analysis indicates that the information we originally received was
incomplete. Therefore our original remediations are only partially effective for CVE-2020-11901. We
are expediting updated remediations, which will be made available as soon as possible. In the
meantime, customers should immediately apply the mitigations included in Remediation & Mitigations
section of this document.
June 2021 Update: Added remediations for Uninterruptible Power Supply (UPS), Rack Power
Distribution Units (rPDU), Battery Management, Rack Automatic Transfer Switch (ATS), Rack Air
Removal Unit (RARU) using NMC1, as well as all other remaining NMC1 applications.
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "We strongly recommend the following industry cybersecurity best practices.\n\nhttps://www.se.com/us/en/download/document/7EN52-0390/\n* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.\n* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.\n* Place all controllers in locked cabinets and never leave them in the \u201cProgram\u201d mode.\n* Never connect programming software to any network other than the network intended for that device.\n* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.\n* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.\n* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.\n* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.\nFor more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. \n",
"title": "General Security Recommendations"
},
{
"category": "general",
"text": "This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.\nFor further information related to cybersecurity in Schneider Electric\u2019s products, visit the company\u2019s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp",
"title": "For More Information"
},
{
"category": "legal_disclaimer",
"text": "THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS \u201cNOTIFICATION\u201d) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN \u201cAS-IS\u201d BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION",
"title": "LEGAL DISCLAIMER"
},
{
"category": "general",
"text": "At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.\n\nWe provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.\n\nWe are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.\n\nwww.se.com ",
"title": "About Schneider Electric"
},
{
"category": "summary",
"text": "Schneider Electric became aware of multiple vulnerabilities affecting Treck Inc.\u0027s embedded TCP/IP \r\nstack, collectively known as Ripple20, which Treck publicly disclosed on June 16, 2020. Schneider \r\nElectric is also aware of a proof of concept published by JSOF that demonstrates how one of the \r\nTreck vulnerabilities, CVE-2020-11901, can be exploited to affect a Schneider Electric APC Smart\u0002UPS device using certain Network Management Card firmware versions. \r\nOn October 12, 2020, Schneider Electric received additional information and analysis from JSOF\r\nrelated to CVE-2020-11901\u2019s impact on APC by Schneider Electric Network Management Cards and \r\nNMC embedded devices. This new analysis indicates that the information we originally received was \r\nincomplete. Therefore our original remediations are only partially effective for CVE-2020-11901. We \r\nare expediting updated remediations, which will be made available as soon as possible. In the \r\nmeantime, customers should immediately apply the mitigations included in Remediation \u0026 Mitigations\r\nsection of this document.\r\nJune 2021 Update: Added remediations for Uninterruptible Power Supply (UPS), Rack Power \r\nDistribution Units (rPDU), Battery Management, Rack Automatic Transfer Switch (ATS), Rack Air \r\nRemoval Unit (RARU) using NMC1, as well as all other remaining NMC1 applications.",
"title": "Overview"
}
],
"publisher": {
"category": "vendor",
"contact_details": "cpcert@se.com",
"name": "Schneider Electric CPCERT",
"namespace": "https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp"
},
"references": [
{
"category": "self",
"summary": "APC by Schneider Electric Network Management Cards (NMC) and NMC Embedded Devices - SEVD-2020-174-01 PDF Version",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-174-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2020-174-01_APC_by_Schneider_Electric_Network_Management_Card_Security_Notification_V2.3.pdf"
},
{
"category": "self",
"summary": "APC by Schneider Electric Network Management Cards (NMC) and NMC Embedded Devices - SEVD-2020-174-01 CSAF Version",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2020-174-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=sevd-2020-174-01.json"
},
{
"category": "external",
"summary": "Recommended Cybersecurity Best Practices",
"url": "https://www.se.com/us/en/download/document/7EN52-0390/"
}
],
"title": "APC by Schneider Electric Network Management Cards (NMC) and NMC Embedded Devices",
"tracking": {
"current_release_date": "2021-06-30T00:00:00.000Z",
"generator": {
"date": "2021-06-30T00:00:00Z",
"engine": {
"name": "Schneider Electric CSAF Generator",
"version": "1.2"
}
},
"id": "SEVD-2020-174-01",
"initial_release_date": "2020-06-22T00:00:00.000Z",
"revision_history": [
{
"date": "2020-06-22T00:00:00.000Z",
"number": "1.0.0",
"summary": "Original Release"
},
{
"date": "2020-06-23T00:00:00.000Z",
"number": "1.1.0",
"summary": "Updated Affected Products \u0026 Details and Vulnerability Details \r\nsections formatting for clarity (pages 2-5) "
},
{
"date": "2020-08-05T00:00:00.000Z",
"number": "1.2.0",
"summary": "Updated remediation for \u201cUninterruptible Power Supply (UPS) using \r\nNMC2\u201d (page 2)"
},
{
"date": "2020-08-06T00:00:00.000Z",
"number": "1.3.0",
"summary": "Corrected affected version(s) and enhanced Remediation/Mitigation\r\nversion details for \u201cUninterruptible Power Supply (UPS) using NMC2\u201d \r\n(page 2)"
},
{
"date": "2020-09-01T00:00:00.000Z",
"number": "1.4.0",
"summary": "Added remediation for Cooling Products using NMC2 (page 2)"
},
{
"date": "2020-10-23T00:00:00.000Z",
"number": "2.0.0",
"summary": "Updated overview section, available remediations and affected \r\nproducts tables. New information regarding CVE-2020-11901. Added \r\nremediations for \u201cAPC 3-Phase Power Distribution Products\u201d, \u201cAPC Rack Power Distribution Units (PDU)\u201d, :Rack Automatic Transfer \r\nSwitches (ATS)\u201d, \u201cEnvironmental Monitoring\u201d (page 1-6)"
},
{
"date": "2020-12-18T00:00:00.000Z",
"number": "2.1.0",
"summary": "Added remediations for Uninterruptible Power Supply (UPS) using \r\nNMC2, APC 3-Phase Power Distribution Products using NMC2, APC \r\nRack Power Distribution Units (PDU) using NMC2, Rack Automatic \r\nTransfer Switches (ATS) using NMC2, Environmental Monitoring\r\nusing NMC2, Cooling Products using NMC2 (page 2-4) "
},
{
"date": "2021-01-12T00:00:00.000Z",
"number": "2.2.0",
"summary": "Added remediations for Uninterruptible Power Supply (UPS) using \r\nNMC3 (page 2)"
},
{
"date": "2021-06-30T00:00:00.000Z",
"number": "2.3.0",
"summary": "Added remediations for Uninterruptible Power Supply (UPS), Rack \r\nPower Distribution Units (rPDU), Battery Management, Rack \r\nAutomatic Transfer Switch (ATS), Rack Air Removal Unit (RARU) \r\nusing NMC1, as well as all other remaining NMC1 applications (page \r\n2, 4-6)"
}
],
"status": "final",
"version": "2.3.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9630/AP9630CH/AP9630J NMC2 AOS V6.9.4 and earlier",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9630/AP9630CH/AP9630J"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9631/AP9631CH/AP9631J NMC2 AOS V6.9.4 and earlier",
"product_id": "2"
}
}
],
"category": "product_name",
"name": "Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9631/AP9631CH/AP9631J"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9635/AP9635CH NMC2 AOS V6.9.4 and earlier",
"product_id": "3"
}
}
],
"category": "product_name",
"name": "Uninterruptible Power Supply (UPS) using NMC2 1-Phase and 3-Phase UPS models including Smart-UPS, Symmetra, and Galaxy with Network Management Card 2 (NMC2): AP9635/AP9635CH"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=Smart-UPS NMC1 3.9.2",
"product": {
"name": "Schneider Electric Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9617 (discontinued in Nov 2011) Smart-UPS NMC1 v3.9.2 and earlier",
"product_id": "4"
}
}
],
"category": "product_name",
"name": "Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9617 (discontinued in Nov 2011) "
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=Smart-UPS NMC1 3.9.2",
"product": {
"name": "Schneider Electric Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9619 (discontinued in Sep 2012) Smart-UPS NMC1 v3.9.2 and earlier",
"product_id": "5"
}
}
],
"category": "product_name",
"name": "Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9619 (discontinued in Sep 2012)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=Smart-UPS NMC1 3.9.2",
"product": {
"name": "Schneider Electric Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9618 (discontinued in Jan 2017) Smart-UPS NMC1 v3.9.2 and earlier",
"product_id": "6"
}
}
],
"category": "product_name",
"name": "Uninterruptable Power Supply (UPS) using NMC1 - SUMX AP9618 (discontinued in Jan 2017)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=Smart-UPS NMC1 3.9.2",
"product": {
"name": "Schneider Electric Uninterruptable Power Supply (UPS) using NMC1 - SUMX Smart-UPS models embedded with NMC1 Smart-UPS NMC1 v3.9.2 and earlier",
"product_id": "7"
}
}
],
"category": "product_name",
"name": "Uninterruptable Power Supply (UPS) using NMC1 - SUMX Smart-UPS models embedded with NMC1"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC3 AOS 1.3.0.6",
"product": {
"name": "Schneider Electric Uninterruptible Power Supply (UPS) using NMC3 Network Management Card 3 (NMC3) SmartSlot card models: AP9640/AP9640J NMC3 AOS V1.3.0.6 and earlier",
"product_id": "8"
}
}
],
"category": "product_name",
"name": "Uninterruptible Power Supply (UPS) using NMC3 Network Management Card 3 (NMC3) SmartSlot card models: AP9640/AP9640J"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC3 AOS 1.3.0.6",
"product": {
"name": "Schneider Electric Uninterruptible Power Supply (UPS) using NMC3 Network Management Card 3 (NMC3) SmartSlot card models: AP9641/AP9641J NMC3 AOS V1.3.0.6 and earlier",
"product_id": "9"
}
}
],
"category": "product_name",
"name": "Uninterruptible Power Supply (UPS) using NMC3 Network Management Card 3 (NMC3) SmartSlot card models: AP9641/AP9641J"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric Battery Management Embedded NMC2 - Battery Manager - AP9922 NMC2 AOS V6.9.4 and earlier",
"product_id": "10"
}
}
],
"category": "product_name",
"name": "Battery Management Embedded NMC2 - Battery Manager - AP9922"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric APC 3-Phase Power Distribution Products: InfraStruXure 150kVA PDU with 84 poles (X84P) NMC2 AOS V6.9.4 and earlier",
"product_id": "11"
}
}
],
"category": "product_name",
"name": "APC 3-Phase Power Distribution Products: InfraStruXure 150kVA PDU with 84 poles (X84P)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric APC 3-Phase Power Distribution Products: InfraStruXure 40 and 60 kVA PDU (XPDU) NMC2 AOS V6.9.4 and earlier",
"product_id": "12"
}
}
],
"category": "product_name",
"name": "APC 3-Phase Power Distribution Products: InfraStruXure 40 and 60 kVA PDU (XPDU)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric APC 3-Phase Power Distribution Products: Modular 150 and 175 kVA PDU NAM (XRDP) NMC2 AOS V6.9.4 and earlier",
"product_id": "13"
}
}
],
"category": "product_name",
"name": "APC 3-Phase Power Distribution Products: Modular 150 and 175 kVA PDU NAM (XRDP)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric APC 3-Phase Power Distribution Products: 400 and 500 kVA PMM (PMM) NMC2 AOS V6.9.4 and earlier",
"product_id": "14"
}
}
],
"category": "product_name",
"name": "APC 3-Phase Power Distribution Products: 400 and 500 kVA PMM (PMM)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric APC 3-Phase Power Distribution Products: Modular PDU/RPP (XRDP2G) NMC2 AOS V6.9.4 and earlier",
"product_id": "15"
}
}
],
"category": "product_name",
"name": "APC 3-Phase Power Distribution Products: Modular PDU/RPP (XRDP2G)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric APC Rack Power Distribution Units (rPDU) Embedded NMC2: 2G Metered/Switched Rack PDUs with embedded NMC2 NMC2 AOS V6.9.4 and earlier",
"product_id": "16"
}
}
],
"category": "product_name",
"name": "APC Rack Power Distribution Units (rPDU) Embedded NMC2: 2G Metered/Switched Rack PDUs with embedded NMC2"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric APC Rack Power Distribution Units (rPDU) Embedded NMC2: AP84XX, AP86XX, AP88XX, AP89XX NMC2 AOS V6.9.4 and earlier",
"product_id": "17"
}
}
],
"category": "product_name",
"name": "APC Rack Power Distribution Units (rPDU) Embedded NMC2: AP84XX, AP86XX, AP88XX, AP89XX"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric APC Rack Power Distribution Units (rPDU) Embedded NMC1: Metered/Switched Rack PDUs with embedded NMC1 - AP78XX, AP79XX NMC1 AOS V3.9.2 and earlier",
"product_id": "18"
}
}
],
"category": "product_name",
"name": "APC Rack Power Distribution Units (rPDU) Embedded NMC1: Metered/Switched Rack PDUs with embedded NMC1 - AP78XX, AP79XX"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.8.8",
"product": {
"name": "Schneider Electric Rack Automatic Transfer Switches (ATS) Embedded NMC2: - Rack Automatic Transfer Switches - AP44XX NMC2 AOS V6.8.8 and earlier",
"product_id": "19"
}
}
],
"category": "product_name",
"name": "Rack Automatic Transfer Switches (ATS) Embedded NMC2: - Rack Automatic Transfer Switches - AP44XX"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric Rack Automatic Transfer Switches (ATS) Embedded NMC1: - Rack Automatic Transfer Switches - AP77XX NMC1 AOS v3.9.2 and earlier",
"product_id": "20"
}
}
],
"category": "product_name",
"name": "Rack Automatic Transfer Switches (ATS) Embedded NMC1: - Rack Automatic Transfer Switches - AP77XX"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.8.8",
"product": {
"name": "Schneider Electric Environmental Monitoring Environmental Monitoring Unit with embedded NMC2 - NetBotz NBRK0250 NMC2 AOS V6.8.8 and earlier",
"product_id": "21"
}
}
],
"category": "product_name",
"name": "Environmental Monitoring Environmental Monitoring Unit with embedded NMC2 - NetBotz NBRK0250"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric Cooling Products Embedded NMC2 \u0026 Touchscreen Displays: InRow NMC2 AOS V6.9.4 and earlier",
"product_id": "22"
}
}
],
"category": "product_name",
"name": "Cooling Products Embedded NMC2 \u0026 Touchscreen Displays: InRow"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC2 AOS 6.9.4",
"product": {
"name": "Schneider Electric Cooling Products Embedded NMC2 \u0026 Touchscreen Displays: Uniflair Cooling Devices NMC2 AOS V6.9.4 and earlier",
"product_id": "23"
}
}
],
"category": "product_name",
"name": "Cooling Products Embedded NMC2 \u0026 Touchscreen Displays: Uniflair Cooling Devices"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric Cooling Products Embedded NMC1 - Rack Air Removal Unit SX (RARU) NMC1 AOS V3.9.2 and earlier",
"product_id": "24"
}
}
],
"category": "product_name",
"name": "Cooling Products Embedded NMC1 - Rack Air Removal Unit SX (RARU)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric NMC1 Products Symmetra UPS Network Management Card 1 (NMC1) SmartSlot Models: - AP9617 (discontinued in Nov 2011) NMC1 AOS V3.9.2 and earlier",
"product_id": "25"
}
}
],
"category": "product_name",
"name": "NMC1 Products Symmetra UPS Network Management Card 1 (NMC1) SmartSlot Models: - AP9617 (discontinued in Nov 2011)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric NMC1 Products Symmetra UPS Network Management Card 1 (NMC1) SmartSlot Models: - AP9619 (discontinued in Sep 2012) NMC1 AOS V3.9.2 and earlier",
"product_id": "26"
}
}
],
"category": "product_name",
"name": "NMC1 Products Symmetra UPS Network Management Card 1 (NMC1) SmartSlot Models: - AP9619 (discontinued in Sep 2012)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric NMC1 Products Symmetra UPS Network Management Card 1 (NMC1) SmartSlot Models: - AP9618 (discontinued in Jan 2017) NMC1 AOS V3.9.2 and earlier",
"product_id": "27"
}
}
],
"category": "product_name",
"name": "NMC1 Products Symmetra UPS Network Management Card 1 (NMC1) SmartSlot Models: - AP9618 (discontinued in Jan 2017)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric NMC1 Products Symmetra UPS Network Management Card 1 (NMC1) SmartSlot Models: - Audio/Video Network Management Enabled products S20BLK, G50NETB2, G50NETB-20A2 NMC1 AOS V3.9.2 and earlier",
"product_id": "28"
}
}
],
"category": "product_name",
"name": "NMC1 Products Symmetra UPS Network Management Card 1 (NMC1) SmartSlot Models: - Audio/Video Network Management Enabled products S20BLK, G50NETB2, G50NETB-20A2"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric Battery Management - Battery Management System - AP9920B1 NMC1 AOS V3.9.2 and earlier",
"product_id": "29"
}
}
],
"category": "product_name",
"name": "Battery Management - Battery Management System - AP9920B1"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric Battery Management - Battery Management System - AP9921X NMC1 AOS V3.9.2 and earlier",
"product_id": "30"
}
}
],
"category": "product_name",
"name": "Battery Management - Battery Management System - AP9921X"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric Environmental Monitoring AP9319 AP9320 AP9340 AP9360 AP9361 NetBotz NBRK0200 NMC1 AOS V3.9.2 and earlier",
"product_id": "31"
}
}
],
"category": "product_name",
"name": "Environmental Monitoring AP9319 AP9320 AP9340 AP9360 AP9361 NetBotz NBRK0200"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric Cooling Products - NetworkAir NMC1 AOS V3.9.2 and earlier",
"product_id": "32"
}
}
],
"category": "product_name",
"name": "Cooling Products - NetworkAir"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=NMC1 AOS 3.9.2",
"product": {
"name": "Schneider Electric Cooling Products - InRow NMC1 AOS V3.9.2 and earlier",
"product_id": "33"
}
}
],
"category": "product_name",
"name": "Cooling Products - InRow"
},
{
"branches": [
{
"category": "product_version_range",
"name": "6.9.2|6.9.4",
"product": {
"name": "Schneider Electric NMC2 AOS V6.9.2/6.9.4",
"product_id": "34"
}
}
],
"category": "product_name",
"name": "NMC2 AOS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=6.9.6",
"product": {
"name": "Schneider Electric NMC2 AOS V6.9.6 or later",
"product_id": "35"
}
}
],
"category": "product_name",
"name": "NMC2 AOS"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.9.4",
"product": {
"name": "Schneider Electric NMC2 AOS V3.9.4 or later",
"product_id": "36"
}
}
],
"category": "product_name",
"name": "NMC2 AOS"
},
{
"branches": [
{
"category": "product_version",
"name": "1.3.3.1",
"product": {
"name": "Schneider Electric NMC3 AOS V1.3.3.1",
"product_id": "37"
}
}
],
"category": "product_name",
"name": "NMC3 AOS "
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=1.4",
"product": {
"name": "Schneider Electric NMC3 AOS V1.4 or later",
"product_id": "38"
}
}
],
"category": "product_name",
"name": "NMC3 AOS "
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=3.9.4",
"product": {
"name": "Schneider Electric NMC1 AOS V3.9.4 or later",
"product_id": "39"
}
}
],
"category": "product_name",
"name": "NMC1 AOS"
}
],
"category": "vendor",
"name": "Schneider Electric"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-11901",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1), Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"35",
"36",
"38",
"39"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19",
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11901"
},
{
"cve": "CVE-2020-11902",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"37",
"38"
],
"known_affected": [
"1",
"2",
"3",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"19",
"21",
"22",
"23"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
}
],
"title": "CVE-2020-11902"
},
{
"cve": "CVE-2020-11903",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"39"
],
"known_affected": [
"4",
"5",
"6",
"7",
"18",
"20",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11903"
},
{
"cve": "CVE-2020-11904",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1), Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"38",
"39"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19",
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11904"
},
{
"cve": "CVE-2020-11905",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1), Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"38",
"39"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19",
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11905"
},
{
"cve": "CVE-2020-11906",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"37",
"38"
],
"known_affected": [
"1",
"2",
"3",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"19",
"21",
"22",
"23"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
}
],
"title": "CVE-2020-11906"
},
{
"cve": "CVE-2020-11907",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1), Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"38",
"39"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19",
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11907"
},
{
"cve": "CVE-2020-11908",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"39"
],
"known_affected": [
"4",
"5",
"6",
"7",
"18",
"20",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11908"
},
{
"cve": "CVE-2020-11909",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1), Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"38",
"39"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19",
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11909"
},
{
"cve": "CVE-2020-11910",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1), Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"38",
"39"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19",
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11910"
},
{
"cve": "CVE-2020-11911",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1), Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"38",
"39"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19",
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11911"
},
{
"cve": "CVE-2020-11912",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1), Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"38",
"39"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19",
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11912"
},
{
"cve": "CVE-2020-11913",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"37",
"38"
],
"known_affected": [
"1",
"2",
"3",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"19",
"21",
"22",
"23"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
}
],
"title": "CVE-2020-11913"
},
{
"cve": "CVE-2020-11914",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 1 (NMC1), Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"38",
"39"
],
"known_affected": [
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"24",
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for the SUMX application \r\nrunning on the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V3.9.4 or \r\nlater. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"4",
"5",
"6",
"7"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"18"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19",
"20"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for RARU NMC1 \r\napplication \r\nCustomers are urged to upgrade to \r\napplications using NMC1 AOSV3.9.4 or \r\nlater\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"24"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "These are End of Commercialization \r\noffers.\r\nTo reduce risk of exploitation, apply \r\nthe mitigations detailed in the \r\nRecommended Mitigations section.\r\nContact your local support team for \r\nfurther assistance in upgrading to \r\nNMC2 or NMC3 platforms. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/support/contact-us/"
},
{
"category": "mitigation",
"details": "Schneider Electric is implementing remediations which will be made available as soon as possible. In \r\nthe meantime, we recommend that our customers protect their installations from the cyber risks \r\nassociated with the Treck vulnerabilities by immediately taking these mitigating actions: \r\nFor devices on a local network: \r\n Network Partitioning: Locate devices behind firewalls capable of deep packet inspection with \r\nrulesets limiting access with only approved protocols and functions and to only those devices \r\nand endpoints requiring access. \r\n\u2022 Anomalous IP traffic: Block and detect anomalous IP traffic and malformed packets. Refer to \r\nthe Solution section of the CERT-Coordination Center Vulnerability Note VU#257161 https://kb.cert.org/vuls/id/257161 for \r\ndetails.\r\n\u2022 Disable DHCP on the NMC and configure it to use a static IP address.\r\n\u2022 To avoid the use of DNS, set DNS servers to 0.0.0.0 and utilize static IP addresses for all \r\nservers the NMC will connect. \r\n\u2022 If DNS must be used then normalize DNS through a secure recursive server or application \r\nlayer firewall\r\n\u2022 Enable only secure remote access methods. Disable any insecure protocols. \r\nFor devices that must communicate via the Internet: \r\n\u2022 Minimize network exposure for embedded and critical devices, keeping exposure to the \r\nminimum necessary, and ensuring that devices are not accessible from the Internet unless \r\nabsolutely essential.\r\n\u2022 Ensure communications to devices are via the EcoStruxure IT Gateway. The EcoStruxure IT \r\nplatform https://ecostruxureit.com/what-is-ecostruxure-it/ is security hardened with a mandatory two-factor authentication and high encryption \r\nstandards. Device data is securely transported to the EcoStruxure IT platform using the \r\nEcoStruxure IT Gateway, which uses an outbound connection to minimize risk to your \r\nenvironment.\r\nIf network access is not required: \r\n\u2022 Remove the Ethernet cable from the SmartSlot NMC, or the embedded NMC Ethernet port if \r\nan embedded NMC is present. \r\nAdditional mitigations: \r\n\u2022 Access Controls: Install physical and logical controls, so that no unauthorized personnel or \r\ndevice can access your systems, components, peripheral equipment, and networks. ",
"product_ids": [
"25",
"26",
"27",
"28",
"29",
"30",
"31",
"32",
"33"
],
"restart_required": {
"category": "none"
},
"url": "https://kb.cert.org/vuls/id/257161"
}
],
"title": "CVE-2020-11914"
},
{
"cve": "CVE-2020-11896",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"37",
"38"
],
"known_affected": [
"1",
"2",
"3",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"19",
"21",
"22",
"23"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
}
],
"title": "CVE-2020-11896"
},
{
"cve": "CVE-2020-11898",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"37",
"38"
],
"known_affected": [
"1",
"2",
"3",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"19",
"21",
"22",
"23"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
}
],
"title": "CVE-2020-11898"
},
{
"cve": "CVE-2020-11899",
"notes": [
{
"category": "description",
"text": "Network Management Card Family - Network Management Card 2 (NMC2), Network Management Card 3 (NMC3)",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"34",
"35",
"36",
"37",
"38"
],
"known_affected": [
"1",
"2",
"3",
"8",
"9",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"19",
"21",
"22",
"23"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOS V6.9.6 or \r\nlater. \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"1",
"2",
"3"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC3 platforms. \r\nCustomers are urged to upgrade to \r\napplications using NMC3 AOS V1.4 or \r\nlater.\r\nNote: AOS V1.3.3.1 addressed 14 of \r\nthe 15 CVEs. NMC3 AOS V1.4 \r\naddresses CVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"8",
"9"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"10"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"11",
"12",
"13",
"14",
"15"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"16",
"17"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC1 and NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using NMC2 AOSV6.9.6 or \r\nlater or NMC1 AOSv3.9.4 or later\r\n \r\nNote: NMC2 AOS V6.9.2/6.9.4 \r\naddressed 14 of the 15 CVEs. AOS \r\nV6.9.6 addresses CVE-2020-11901.\r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"19"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbeen released for applications running \r\non the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/\r\n",
"product_ids": [
"21"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
},
{
"category": "vendor_fix",
"details": "Patches for the vulnerabilities have \r\nbegun being released for applications \r\nrunning on the NMC2 platform. \r\nCustomers are urged to upgrade to \r\napplications using AOSV6.9.6 or later.\r\n \r\nNote: AOS V6.9.2/6.9.4 addressed 14 \r\nof the 15 CVEs. AOS V6.9.6 addresses \r\nCVE-2020-11901. \r\nRefer to this link for the latest \r\ninformation on application patch \r\navailability: \r\nhttps://www.apc.com/us/en/faqs/FA410359/",
"product_ids": [
"22",
"23"
],
"restart_required": {
"category": "none"
},
"url": "https://www.apc.com/us/en/faqs/FA410359/"
}
],
"title": "CVE-2020-11913"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…