Monday, February 9, 2015

Someone is currently logged into the APC

Time was APC was the Cadillac of the power management world. But in my opinion, as with many vendors they're not keeping up with the times. Case in point our APC AP7990 PDUs. We're no longer able to use any modern browser to manage them. And when we use an older browser, we've been getting "Someone is currently logged into the APC Management Web Server." when attempting to login, because it's not resetting the session when disconnecting.

Logging into the terminal and back out to reset the web interface fixes this, but if you're doing that securely as you should with SSH, not Telnet, using PuTTY, you get an error message "Received SSH2_MSG_CHANNEL_SUCCESS for nonexistent channel 65536". To get around that try using a Linux or BSD-based system to SSH to the PDU, although that resulted in a "Broken pipe" error at times...

Unfortunately the heart of the matter is their products, like many manufactures' devices are using old, broken security protocols, ciphers and versions of Java, with no hope of ever being updated. And now with all modern browsers and JVM security settings at all-time high, they block access to these remote management web interfaces. Truly a frustrating development since there is no way to push manufacturers to update what should amount to a simple fix (if they have sensible software dev practices). I don't expect companies to support products forever the way Microsoft does, but when their products become completely unmanageable because of far-reaching, widely-known security flaws in Bash, OpenSSH, SSL and Java, they should be on the hook to spend a few cycles on helping the people who buy their products. (Okay, off my soapbox.)

And by all means, click Log Off when using the APC PDU web interface.

3 comments:

  1. I feel you're pain. I just sent a Tripp Lite PDUMH15NET back today as the software is so far behind security wise. Pretty much the same type of issues you mentioned. Here I was hoping that APC would be the better route at double the price. :-(

    ReplyDelete
  2. Stumbled across this, and yes. This is still the case in 2018. APC's work around? use an old version of Putty.

    http://www.apc.com/us/en/faqs/FA242581/

    WTF.. cmon guys, update your management platform to support modern encryption, and you call this enterprise hardware? :-(

    ReplyDelete