Loading ...

APC 8653 vulnerability | Racks, Rack Accessories, & Cooling

Home » Spaces » Racks, Rack Accessories, & Cooling » discussion » General » APC 8653 vulnerability

APC 8653 vulnerability

Discussion in Racks, Rack Accessories, & Cooling started by Stavros , 2/17/2021 11:03 AM
Login to follow, share, and participate in this space.
Not a member?Join now
Posted in: General

APC 8653 vulnerability

Subscribe to RSS
  • Our InfoSec team has highlighted a security vulnerability in our AP8635 running code 6.8.0, with the following details

    SSL Certificate Signed Using Weak Hashing Algorithm:
    The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. Through cryptanalysis, a third party may be able to find the shared secret ina short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plaintext or potentially violate the integrity of connections.
    And they gave us the following remediation

    Contact the Certificate Authority to have the SSL certificate reissued or Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.



    I have tried re issuing the certificate but i could not see any options regarding the cryptography, is there any way to adjust the above?

  • Hi Stavros,

    You'll need to create your own certificate making sure that your enterprise CA issues the appropriate certificate.



    How To;


    I'd also note that FW6.8.0 has more vulnerabilities that you have not listed, please upgrade your device to FW6.9.6:



  • Hello Gavan

    Many thanks for the above information. it is very helpful.

    When i go to my device downloads i cannot find 6.9.6 listed.  It says the latest is 6.8.0.


    I always use that page to look for new firmware, is there anywhere else i need to look at?



  • There is a link in my first post.

  • Hi Gavan

    I am restricted by company policy to visit box.com as it falls into the category of file sharing.

    Is there a link hosted by APC anywhere?


  • To be honest we use box.com for most things, I'm not sure if it is somewhere else.

    Can you try a personal computer or hotspot?


  • Hello Gavan

    Many thanks for replying, I have managed to put the software on the work computer.

    I have successfully upgraded my AP8653 to version 6.9.6.

    I had a lot of troubles with the NMCSecurityWizardCLIUtility. 

    First of all, version 1.0.1 does not work and throws an unhandled exception like this when trying to import the cert:

    NMC Security Wizard Command Line Utility v1.0.1 (c) Copyright 2018 Schneider Electric. All rights reserved. ----------------------------------------------------------------------------- Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3 at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile) at NMCSecurityWizardCLI.Program.Main(String[] args) 

    In order to successfully import the certificate I had to use version 1.0.0 found here.

    After successfully creating the *.p15 cert using the signed cert and private key I tried to import to the NMC2 and the status was stuck at "Loading certificate...."

    In the event logs I saw the following 

     02/19/2021 12:57:55 System SSL: Certificate generation complete.
     02/19/2021 12:56:30 System SSL: Certificate generation started.
     02/19/2021 12:56:29 System SSL Error: Invalid certificate.

    I saw on this forum post, that other people had my problem in earlier versions of AOS but there was no solution other than downgrading.

    We are using Microsoft CA and web server template to sign the certificate

    Has there ever been a solution?  What else can I try in order to successfully import the certificate?


  • That forum post listed wouldn't have an impact on what you trying to do.

    Did you follow the guide attached?

    I see that you have also create a ticket for your issues, I'd advise that you upload the unsigned .p15, CSR, cer/crt returned from your CA and the signed .p15 to the case as well as the command used to create it.


  • Hello Gavan

    I believe I followed the guide by the letter.   It would be good if the error gave a little bit more information.

    I have not opened a case myself.  I have although asked my reseller about this so he might have opened one

    I will try re doing the procedure on a different device with a different version and come back here with the results. Is there anything else I can do?


  • Hello Gavan!

    I have managed to successfully import the SSL certificate to the device!! 

    After some collaboration with the sysadmin team we found out that the signed certificate needed a special template from the CA that include enhanced key usage

    Thank you very much for you help here

    Have a lovely weekend


Page 1 of 1 (10 items)
Choose your language:  
powered by Communifire
Version 8.0.7757.16597