Abaphandi boKhuseleko abavela kwi-Armis baye bachaza ubuthathaka obuthathu kwi-APC elawulwa amandla angenakuphazamiseka angavumela ulawulo olukude lwesixhobo ukuba luthathwe kwaye lusetyenziswe, njengokucima umbane kumachweba athile okanye ukuwusebenzisa njengento yokuqala yokuhlaselwa kwezinye iinkqubo. Ubuthathaka bubizwa ngokuba yi-TLStorm kwaye buchaphazela izixhobo ze-APC Smart-UPS (SCL, SMX, SRT series) kunye ne-SmartConnect (SMT, SMTL, SCL kunye ne-SMX series).
Ubuthathaka obubini bubangelwa iimpazamo ekuphunyezweni kwe-TLS protocol kwizixhobo ezilawulwa ngenkonzo yefu eliphakathi ukusuka kwi-Schneider Electric. Izixhobo zochungechunge lwe-SmartConnect, ekuqaliseni okanye ekulahlekeni koqhagamshelo, ziqhagamshela ngokuzenzekelayo kwinkonzo yelifu eliphakathi kwaye umhlaseli ngaphandle kokuqinisekisa unokusebenzisa ubuthathaka kwaye afumane ulawulo olupheleleyo kwisixhobo ngokuthumela iipakethi eziyilwe ngokukodwa kwi-UPS.
- I-CVE-2022-22805 -I-buffer ephuphumayo kwikhowudi yokubuyisela ipakethe, isetyenziswe xa kusetyenzwa uxhulumaniso olungenayo. Umba ubangelwa kukukopa idatha kwisithinteli ngelixa kusetyenzwa iirekhodi zeTLS ezahluliwe. Ukusetyenziswa kobuthathaka kuququzelelwa ngokuphathwa kwempazamo engalunganga xa usebenzisa ilayibrari yeMocana nanoSSL - emva kokubuyisela impazamo, uxhulumaniso aluvalwanga.
- I-CVE-2022-22806 - Ukuqinisekiswa kokudlula ngexesha lokusekwa kweseshoni ye-TLS, okubangelwa yimpazamo yokufumanisa imeko ngexesha lokuxoxisana. Ngokugcina iqhosha elingabonakaliyo le-TLS elingabonakaliyo kunye nokungahoywa ikhowudi yephutha ebuyiselwe yilayibrari ye-Mocana nanoSSL xa ipakethe eneqhosha elingenanto ifikile, kwakunokwenzeka ukuba uzenze umncedisi woMbane we-Schneider ngaphandle kokudlula kwinqanaba lokutshintshiselana kunye nokuqinisekisa.
Umngcipheko wesithathu (CVE-2022-0715) unxulumene nokuphunyezwa okungalunganga kokujonga i-firmware ekhutshelwe ukuhlaziywa kwaye ivumela umhlaseli ukuba afake i-firmware elungisiweyo ngaphandle kokujonga utyikityo lwedijithali (kwaye kwavela ukuba isignesha yedijithali ye-firmware ayikhangelwa konke, kodwa isebenzisa kuphela uguqulelo oluntsonkothileyo olunesitshixo esichazwe kwangaphambili kwi-firmware) .
Xa idityaniswe ne-CVE-2022-22805 sengozini, umhlaseli unokubuyisela i-firmware ekude ngokuzenza iSchneider Electric cloud service okanye ngokuqalisa ukuhlaziywa kwinethiwekhi yendawo. Ukufumana ukufikelela kwi-UPS, umhlaseli unokubeka i-backdoor okanye ikhowudi ekhohlakeleyo kwisixhobo, kunye nokwenza i-sabotage kunye nokusika amandla kubathengi ababalulekileyo, umzekelo, ukunqumla amandla kwiinkqubo zokucupha ividiyo kwiibhanki okanye izixhobo zokuxhasa ubomi. ezibhedlele.
I-Schneider Electric ilungiselele iipetshi zokulungisa iingxaki kwaye ilungiselela uhlaziyo lwe-firmware. Ukunciphisa umngcipheko wokulalanisa, kuyacetyiswa ukuba utshintshe igama eliyimfihlo elingagqibekanga ("apc") kwizixhobo ezine-NMC (iKhadi loLawulo lweNethiwekhi) kwaye ufake isatifiketi se-SSL esayiniweyo ngokwedijithali, kunye nokufikelela umda kwi-UPS kwi-firewall ukuya. Schneider Electric Cloud iidilesi kuphela.
umthombo: opennet.ru