Ofufuza zachitetezo ochokera ku Armis adawulula zovuta zitatu mu APC yomwe idayang'anira magetsi osasunthika omwe amatha kuloleza kuwongolera kwakutali kwa chipangizocho ndikuwongolera, monga kuzimitsa mphamvu kumadoko ena kapena kuzigwiritsa ntchito ngati njira yoyambira kuukira machitidwe ena. Zowopsazi zimatchedwa TLStorm ndipo zimakhudza zida za APC Smart-UPS (SCL, SMX, SRT series) ndi SmartConnect (SMT, SMTL, SCL ndi SMX series).
Zofooka ziwirizi zimayamba chifukwa cha zolakwika pakukhazikitsa protocol ya TLS pazida zomwe zimayendetsedwa kudzera pamtambo wapakati kuchokera ku Schneider Electric. Zida zamtundu wa SmartConnect, zikangoyambitsa kapena kulumikizidwa, zimangolumikizana ndi ntchito yamtambo yapakati ndipo wowukira popanda kutsimikizika amatha kugwiritsa ntchito chiwopsezo ndikuwongolera chidacho potumiza mapaketi opangidwa mwapadera ku UPS.
- CVE-2022-22805 - Buffer kusefukira mu code ressembly paketi, yomwe imagwiritsidwa ntchito pokonza zolumikizira zomwe zikubwera. Vutoli limadza chifukwa chokopera deta ku buffer pamene mukukonza zolemba zogawanika za TLS. Kugwiritsa ntchito pachiwopsezo kumathandizidwa ndi kuwongolera zolakwika molakwika mukamagwiritsa ntchito laibulale ya Mocana nanoSSL - mutabweza cholakwika, kulumikizana sikunatsekeke.
- CVE-2022-22806 - Kudulira kotsimikizika pakukhazikitsidwa kwa gawo la TLS, chifukwa cha vuto lodziwika bwino pakukambirana. Mwa caching uninitialized null TLS key ndikunyalanyaza code yolakwika yomwe inabwezedwa ndi laibulale ya Mocana nanoSSL pamene paketi yokhala ndi kiyi yopanda kanthu inafika, zinali zotheka kunamizira kukhala Schneider Electric seva popanda kudutsa fungulo losinthana ndi kutsimikizira.
Chiwopsezo chachitatu (CVE-2022-0715) chikugwirizana ndi kukhazikitsidwa kolakwika kwa kutsimikizira kwa firmware yomwe idatsitsidwa kuti isinthidwe ndipo imalola wowukira kuti akhazikitse firmware yosinthidwa popanda kuyang'ana siginecha ya digito (zinapezeka kuti siginecha ya digito ya firmware sinafufuzidwe. konse, koma amangogwiritsa ntchito symmetric encryption yokhala ndi kiyi yofotokozedwatu mu firmware) .
Zikaphatikizidwa ndi kusatetezeka kwa CVE-2022-22805, wowukira atha kulowa m'malo mwa firmware patali potengera Schneider Electric cloud service kapena kuyambitsa zosintha kuchokera pa netiweki yakomweko. Atapeza mwayi wopita ku UPS, wowukira amatha kuyika code yakumbuyo kapena yoyipa pachidacho, komanso kuwononga ndikudula mphamvu kwa ogula ofunikira, mwachitsanzo, kudula mphamvu zamakanema owonera makanema m'mabanki kapena zida zothandizira moyo zipatala.
Schneider Electric yakonza zigamba kuti akonze zovutazo komanso akukonzekera zosintha za firmware. Kuti muchepetse chiopsezo cha kunyengerera, tikulimbikitsidwanso kuti musinthe mawu achinsinsi ("apc") pazida zomwe zili ndi NMC (Network Management Card) ndikuyika satifiketi ya SSL yosainidwa ndi digito, komanso kuchepetsa mwayi wopita ku UPS pa chowotcha moto Schneider Electric Cloud ma adilesi okha.
Source: opennet.ru