SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  PowerChute Vendors:  American Power Conversion Corp.
APC PowerChute Business Edition Console Access Can Be Denied By Remote Users
SecurityTracker Alert ID:  1010745
SecurityTracker URL:  http://securitytracker.com/id?1010745
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 21 2004
Impact:  Denial of service via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 6.0 - 7.0.1
Description:  A denial of service vulnerability was reported in APC's PowerChute Business Edition. A remote user can prevent console access.

The vendor reported that a user can conduct a denial ofservice attack against PowerChute Business Edition servers and agents to prevent a legitimate user from accessing the servers and agents through the PowerChute Business Edition console.

No further details were provided.

The vendor indicates that the vulnerability does not affect the power shutdown functions.

The vendor credits the Qualys Security Research Team with reporting this flaw.
Impact:  A remote user can prevent legitimate users from accessing servers and agents via the console.
Solution:  The vendor has released a fixed version (7.0.2) as well as a patch, available at:

http://www.apc.com/tools/download/index.cfm
Vendor URL:  www.apc.com/ (Links to External Site)
Cause:  Not specified
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (XP)

Message History:   None.

 Source Message Contents
Date:  Tue, 20 Jul 2004 20:17:35 -0400
Subject:  APC Security Advisory - Denial of Service Vulnerability with PowerChute Business Edition

 

APC Security Advisory – Denial of Service Vulnerability with PowerChute Business Edition

Information regarding the APC Security Advisory – Denial of Service Vulnerability with 
PowerChute

APC Security Advisory – Denial of Service Vulnerability with PowerChute Business Edition

Problem Summary
A non-privileged user could cause a denial of service attack on
PowerChute Business Edition servers and agents, preventing authorized
users from accessing them through the PowerChute Business Edition
console (see “Affected Products” to find out if your version of
software is affected).

Severity Level
Important

Affected Products
All versions of PowerChute Business Edition between 6.0 and 7.0.1
(inclusive) are affected. See “Recommendations and workarounds” for
more details on rectifying the problem.

Mitigating Factors
This vulnerability affects the accessibility of PowerChute Business
Edition servers and agents, but does not affect the software’s
primary function of gracefully shutting down in the event of a power
related event.

Recommendations and workarounds
Customers should upgrade to version 7.0.2 of PowerChute Business
Edition or patch their existing version of software. Both the full
release and patch can be downloaded directly from APC’s website at
http://www.apc.com/tools/download/index.cfm

Exploitation and Public Announcements
APC is not aware of any malicious use of the vulnerability described
in this advisory. The discovery and documentation of this
vulnerability was conducted by the Qualys Security Research Team.
For more information about the Qualys Security Research Team, visit
their website at http://www.qualys.com.

Status of this notice: ACTIVE
THIS IS AN ACTIVE ADVISORY. ALTHOUGH APC CANNOT GUARANTEE THE
ACCURACY OF ALL STATEMENTS IN THIS NOTICE, ALL OF THE FACTS HAVE
BEEN CHECKED TO THE BEST OF OUR ABILITY. APC DOES NOT ANTICIPATE
ISSUING UPDATED VERSIONS OF THIS ADVISORY UNLESS THERE IS SOME
MATERIAL CHANGE IN THE FACTS. SHOULD THERE BE A SIGNIFICANT CHANGE IN
THE FACTS, APC MAY UPDATE THIS ADVISORY. A STAND-ALONE COPY OR
PARAPHRASE OF THE TEXT OF THIS SECURITY ADVISORY IS AN UNCONTROLLED
COPY, AND MAY LACK IMPORTANT INFORMATION OR CONTAIN FACTUAL ERRORS.
IN NO EVENT SHALL EITHER APC, ITS OFFICERS, DIRECTORS, AFFILIATES OR
EMPLOYEES, BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, OR
CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, BUT NO LIMITED TO, LOSS
OF PROFITS ARISING OUT OF THE USE OR IMPLEMENTATION OF THE
INFORMATION CONTAINED HEREIN HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN AN ACTION FOR CONTRACT, STRICT LIABILITY OR
TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, WHETHER OR NOT APC HAS BEEN
ADVISED OR THE POSSIBILITY OF SUCH DAMAGE AND NOTWITHSTANDING THE
FAILURE OF ESSENTIAL PURPOSE OF ANY REMEDY.

Distribution
This bulletin and any future updates will be posted to APC's web
site.

Revisions
Revision 1.0
Initial Public Release

Copyright
This notice is Copyright © 2004 by American Power Conversion
Corporation. This notice may be redistributed freely provided that
redistributed copies are complete and unmodified, and include all
date and version information.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC