Vatsvagiridzi vezvekuchengetedza kubva kuArmis vakaburitsa kusazvibata kutatu muAPC yakagadziriswa magetsi asingapindike ayo anogona kubvumira kudzora kure kwemudziyo kutorwa uye kushandiswa, sekudzima magetsi kune mamwe madoko kana kuishandisa sechitubu chekurwisa mamwe masisitimu. Kusagadzikana kwacho kwakatemwa TLStorm uye kunobata APC Smart-UPS zvishandiso (SCL, SMX, SRT akatevedzana) uye SmartConnect (SMT, SMTL, SCL uye SMX akatevedzana).
Kusagadzikana kuviri uku kunokonzerwa nezvikanganiso mukuitwa kweTLS protocol mumidziyo inotungamirwa kuburikidza nepakati pegore sevhisi kubva kuSchneider Electric. SmartConnect nhevedzano zvishandiso, kana yatanga kana kurasikirwa kwekubatana, inobatana otomatiki kune yepakati gore sevhisi uye anorwisa asina humbowo anogona kushandisa kusazvibata uye kuwana hutongi hwakazara pamusoro pechishandiso nekutumira zvakagadzirirwa mapakeji kuUPS.
- CVE-2022-22805 - Iyo buffer inofashukira mupakiti reassembly kodhi, inoshandiswa kana ichigadzirisa zvinopinda zvinongedzo. Nyaya inokonzereswa nekukopa data kune buffer uchigadzira akatsemuka marekodhi eTLS. Iko kushandiswa kwekusagadzikana kunofambiswa nekukanganisa kukanganisa kubata kana uchishandisa iyo Mocana nanoSSL raibhurari - mushure mekudzorera kukanganisa, kubatana hakuna kuvharwa.
- CVE-2022-22806 - Kutendesa kupfuudza panguva yekumisikidzwa kweTLS, kunokonzerwa nekukanganisa kwekuonekwa kwenyika panguva yekutaurirana. Nekuchengetera kiyi isina kunyorwa null TLS kiyi uye nekuregeredza kodhi yekukanganisa yakadzoserwa neMocana nanoSSL raibhurari pakasvika pakiti ine kiyi isina chinhu, zvaigoneka kunyepedzera kuve Schneider Electric server pasina kuenda nepakati kiyi yekutsinhana uye yekusimbisa nhanho.
Kusagadzikana kwechitatu (CVE-2022-0715) kwakabatana nekuita zvisirizvo kwekutarisa firmware yakatorwa kuti igadziriswe uye inobvumira anorwisa kuti aise yakagadziridzwa firmware pasina kutarisa siginecha yedhijitari (zvakazoitika kuti siginecha yedhijitari yeiyo firmware haina kutariswa. zvachose, asi inoshandisa symmetric encryption ine kiyi yakafanotsanangurwa mu firmware) .
Kana yasanganiswa neCVE-2022-22805 kusagadzikana, anorwisa anogona kutsiva iyo firmware kure nekuteedzera Schneider Electric Cloud sevhisi kana nekutanga gadziriso kubva kunetiweki yemuno. Kana wawana mukana kuUPS, anorwisa anogona kuisa backdoor kana yakashata kodhi pachishandiso, pamwe nekuita kuparadza uye kugura simba kune vakakosha vatengi, semuenzaniso, kugura simba kune vhidhiyo yekutarisa masisitimu mumabhangi kana midziyo yekutsigira hupenyu mukati. zvipatara.
Schneider Electric yakagadzira zvigamba zvekugadzirisa matambudziko uye iri kugadzirirawo firmware update. Kuti uderedze njodzi yekukanganisika, zvinokurudzirwa zvakare kuti uchinje iyo default password ("apc") pamidziyo ine NMC (Network Management Card) uye kuisa chitupa cheSSL chakasainwa nedigital, pamwe nekudzikamisa kupinda kuUPS pane firewall Schneider Electric Cloud kero chete.
Source: opennet.ru