Bafuputsi ba ts'ireletso ba tsoang ho Armis ba senoletse likotsi tse tharo ho APC e laolang lisebelisoa tsa motlakase tse ke keng tsa senyeha tse ka lumellang taolo ea hole ea sesebelisoa hore e nkiloe le ho sebelisoa, joalo ka ho tima matla likoung tse itseng kapa ho e sebelisa e le setsi sa litlhaselo ho litsamaiso tse ling. Bofokoli ke TLStorm e bitsoang codenamed mme e ama lisebelisoa tsa APC Smart-UPS (SCL, SMX, SRT series) le SmartConnect (SMT, SMTL, SCL le SMX series).
Lifokotsi tsena tse peli li bakoa ke liphoso ts'ebetsong ea protocol ea TLS ho lisebelisoa tse laoloang ka tšebeletso ea maru e bohareng ho tsoa ho Schneider Electric. Lisebelisoa tsa letoto la SmartConnect, ha li qala kapa li lahleheloa ke khokahano, li hokela ka bohona ho ts'ebeletso ea leru e bohareng mme mohlaseli ntle le netefatso a ka sebelisa bofokoli mme a fumana taolo e felletseng holim'a sesebelisoa ka ho romella liphutheloana tse etselitsoeng ka ho khetheha ho UPS.
- CVE-2022-22805 - Buffer e phalla ka har'a khoutu ea ho kopanya hape ea pakete, e sebelisoang hampe ha e sebetsana le likhokahano tse kenang. Taba ena e bakoa ke ho kopitsa data ho buffer ha o ntse o sebetsana le lirekoto tse arohaneng tsa TLS. Tšebeliso ea ts'oaetso e thusoa ke ho sebetsana le phoso e fosahetseng ha u sebelisa laebrari ea Mocana nanoSSL - ka mor'a ho khutlisa phoso, khokahanyo ha ea ka ea koaloa.
- CVE-2022-22806 - Palo ea netefatso nakong ea ts'ebetso ea TLS, e bakoang ke phoso ea ho lemoha boemo nakong ea lipuisano tsa khokahano. Ka ho boloka senotlolo sa TLS se sa tsejoeng le ho hlokomoloha khoutu ea phoso e khutliselitsoeng ke laebrari ea Mocana nanoSSL ha pakete e nang le senotlolo se se nang letho e fihla, ho ne ho ka khoneha ho iketsa eka ke Schneider Electric server ntle le ho feta ka phapanyetsano ea bohlokoa le sethaleng sa ho netefatsa.
Kotsi ea boraro (CVE-2022-0715) e amahanngoa le ts'ebetsong e fosahetseng ea ho lekola firmware e jarollotsoeng bakeng sa ntlafatso mme e lumella mohlaseli ho kenya firmware e fetotsoeng ntle le ho hlahloba signature ea dijithale (ho ile ha fumaneha hore signature ea dijithale ea firmware ha e hlahlojoe. ho hang, empa e sebelisa feela symmetric encryption ka senotlolo se boletsoeng esale pele ho firmware) .
Ha e kopantsoe le ts'oaetso ea CVE-2022-22805, mohlaseli a ka nka sebaka sa firmware a le hole ka ho iketsa Schneider Electric cloud service kapa ka ho qala ntlafatso ho tsoa marang-rang a lehae. Ha a se a fihletse UPS, mohlaseli a ka beha khoutu e ka morao kapa e mpe ho sesebelisoa, hammoho le ho senya le ho khaola matla ho bareki ba bohlokoa, mohlala, ho fokotsa matla a lisebelisoa tsa ho shebella livideo libankeng kapa lisebelisoa tsa ts'ehetso ea bophelo. lipetlele.
Schneider Electric e lokiselitse li-patches ho lokisa mathata 'me e ntse e lokisetsa ntlafatso ea firmware. Ho fokotsa kotsi ea ho sekisetsa, ho kgothaletswa hape ho fetola phasewete ya kamehla ("apc") ho lisebelisoa tse nang le NMC (Network Management Card) le ho kenya setifikeiti sa SSL se saenneng ka dijithale, hammoho le ho fokotsa phihlello ea UPS ho firewall ho Liaterese tsa Schneider Electric Cloud feela.
Source: opennet.ru