Cov kws tshawb fawb txog kev ruaj ntseg los ntawm Armis tau tshaj tawm peb qhov tsis zoo hauv APC tswj cov khoom siv hluav taws xob tsis cuam tshuam uas tuaj yeem tso cai rau cov chaw taws teeb tswj ntawm cov cuab yeej raug coj mus thiab tswj xyuas, xws li tua hluav taws xob rau qee qhov chaw nres nkoj lossis siv nws ua lub caij nplooj ntoos hlav rau kev tawm tsam ntawm lwm lub tshuab. Qhov tsis zoo yog codenamed TLStorm thiab cuam tshuam rau APC Smart-UPS cov khoom siv (SCL, SMX, SRT series) thiab SmartConnect (SMT, SMTL, SCL thiab SMX series).
Ob qhov tsis zoo yog tshwm sim los ntawm kev ua yuam kev hauv kev siv TLS raws tu qauv hauv cov cuab yeej tswj hwm los ntawm kev pabcuam huab cua los ntawm Schneider Electric. SmartConnect series pab kiag li lawm, thaum pib lossis poob ntawm kev sib txuas, cia li txuas mus rau qhov chaw pabcuam huab cua thiab tus neeg tawm tsam tsis muaj kev lees paub tuaj yeem siv qhov tsis zoo thiab tau txais kev tswj hwm tag nrho ntawm cov cuab yeej los ntawm kev xa cov pob tsim tshwj xeeb rau UPS.
- CVE-2022-22805 - Ib qho tsis txaus nyob rau hauv pob ntawv reassembly code, siv thaum ua cov khoom sib txuas. Qhov teeb meem yog tshwm sim los ntawm kev theej cov ntaub ntawv mus rau ib tug tsis thaum ua fragmented TLS cov ntaub ntawv. Kev siv ntawm qhov tsis zoo yog ua kom yooj yim los ntawm kev ua yuam kev tsis raug thaum siv lub tsev qiv ntawv Mocana nanoSSL - tom qab rov qab qhov yuam kev, kev sib txuas tsis raug kaw.
- CVE-2022-22806 - Authentication bypass thaum lub sij hawm kev sib kho TLS, tshwm sim los ntawm lub xeev nrhiav tau yuam kev thaum sib tham txog kev sib txuas. Los ntawm caching ib qho tseem ceeb tsis tseem ceeb TLS tus yuam sij thiab tsis quav ntsej qhov yuam kev rov qab los ntawm Mocana nanoSSL lub tsev qiv ntawv thaum lub pob ntawv nrog tus yuam sij khoob tuaj txog, nws muaj peev xwm ua txuj ua tus Schneider Electric server yam tsis tau mus dhau qhov kev sib pauv tseem ceeb thiab pov thawj theem.
Qhov thib peb qhov tsis zoo (CVE-2022-0715) yog txuam nrog kev siv tsis raug ntawm kev txheeb xyuas cov firmware rub tawm rau kev hloov kho thiab tso cai rau tus neeg tawm tsam rau nruab hloov kho firmware yam tsis tau kuaj xyuas cov kos npe digital (nws muab tawm tias kos npe digital ntawm lub firmware tsis raug kuaj xyuas. tag nrho, tab sis tsuas yog siv symmetric encryption nrog tus yuam sij ua ntej hauv firmware).
Thaum ua ke nrog CVE-2022-22805 qhov tsis zoo, tus neeg tawm tsam tuaj yeem hloov lub firmware los ntawm kev ua tus neeg siv Schneider Electric huab kev pabcuam lossis los ntawm kev pib hloov tshiab los ntawm lub network hauv zos. Tau txais kev nkag mus rau UPS, tus neeg tawm tsam tuaj yeem tso tus lej rov qab lossis qhov tsis zoo ntawm lub cuab yeej, nrog rau kev ua phem thiab txiav tawm lub zog rau cov neeg siv khoom tseem ceeb, piv txwv li, txiav tawm lub zog rau kev soj ntsuam video hauv tsev txhab nyiaj lossis cov cuab yeej txhawb nqa lub neej hauv tsev kho mob.
Schneider Electric tau npaj thaj ua rau thaj kom kho cov teeb meem thiab tseem tab tom npaj hloov kho firmware. Txhawm rau txo qhov kev pheej hmoo ntawm kev cuam tshuam, nws tseem pom zoo kom hloov tus password qub ("apc") ntawm cov khoom siv nrog NMC (Network Management Card) thiab nruab ib daim ntawv pov thawj SSL digitally kos npe, nrog rau kev txwv tsis pub nkag mus rau UPS ntawm firewall rau Schneider Electric Cloud chaw nyob nkaus xwb.
Tau qhov twg los: opennet.ru