Abacwaningi bezokuphepha be-Armis bathole ubungozi obuthathu kumandla kagesi alawulwa yi-APC avumela isilawuli kude kanye nokusetshenziswa kwedivayisi, njengokucisha amandla ezimbobeni ezithile noma ukuwasebenzisa njengendawo yokuqala yokuhlasela kwamanye amasistimu. Ubungozi bubhalwe ngekhodi ye-TLStorm futhi buthinta i-APC Smart-UPS (SCL, SMX, SRT series) kanye ne-SmartConnect (uchungechunge lwe-SMT, SMTL, SCL kanye ne-SMX).
Ubungozi obubili bubangelwa amaphutha ekusetshenzisweni kwephrothokholi ye-TLS kumadivayisi aphethwe ngesevisi yefu ephakathi nendawo evela ku-Schneider Electric. Amadivayisi ochungechunge lwe-SmartConnect axhumeka ngokuzenzakalelayo kusevisi yefu emaphakathi lapho kuqala noma ukulahleka kokuxhumeka, futhi umhlaseli ngaphandle kokuqinisekisa angasebenzisa ubungozi futhi athole ukulawula okuphelele kudivayisi ngokuthumela amaphakethe aklanywe ngokukhethekile ku-UPS.
- I-CVE-2022-22805 - Ukuchichima kwe-Buffer kukhodi yokuhlanganisa kabusha iphakethe kusetshenziswe kabi ngenkathi kusetshenzwa ukuxhumana okungenayo. Inkinga ibangelwa ukukopisha idatha kusigcinalwazi ngenkathi sicubungula amarekhodi e-TLS ahlukene. Ukuxhashazwa kokuba sengozini kuqhutshwa ukuphathwa kwephutha okungalungile uma usebenzisa ilabhulali ye-Mocana nanoSSL - ngemva kokubuyisela iphutha, ukuxhumeka akuzange kuvalwe.
- I-CVE-2022-22806 - Ukudlula kokuqinisekisa lapho kusungulwa iseshini ye-TLS ebangelwe iphutha lesimo phakathi nezingxoxo zokuxhuma. Ukufaka kunqolobane ukhiye ongenalutho we-TLS ongaqaliswanga kanye nokushaya indiva ikhodi yephutha ebuyiselwe umtapo wezincwadi we-Mocana nanoSSL lapho iphakethe elinokhiye ongenalutho lamukelwe kwenze kwaba nokwenzeka ukuzenza iseva ye-Schneider Electric ngaphandle kokudlula esigabeni sokushintshana nokuqinisekisa.
Ukuba sengozini kwesithathu (CVE-2022-0715) kuhlotshaniswa nokuqaliswa okungalungile kokuhlola i-firmware elandiwe ukuze ibuyekezwe futhi ivumela umhlaseli ukuthi afake i-firmware eguquliwe ngaphandle kokuqinisekisa isiginesha yedijithali (kuvele ukuthi i-firmware ayibheki isiginesha yedijithali nhlobo. , kodwa isebenzisa kuphela ukubethela kwe-symmetric ngokhiye ochazwe ngaphambilini ku-firmware) .
Kuhlanganiswe nokuba sengozini kwe-CVE-2022-22805, umhlaseli angangena esikhundleni se-firmware ekude ngokuzenza isevisi yefu ye-Schneider Electric noma ngokuqalisa isibuyekezo esivela kunethiwekhi yendawo. Ngemva kokufinyelela ku-UPS, umhlaseli angabeka i-backdoor noma ikhodi enonya kudivayisi, futhi enze ukucekela phansi futhi avale amandla kubathengi ababalulekile, isibonelo, avale amandla ezinhlelo zokubhekwa kwevidiyo emabhange noma ekusekeleni impilo. imishini ezibhedlela.
I-Schneider Electric ilungiselele ama-patches ukulungisa izinkinga, futhi ilungiselela isibuyekezo se-firmware. Ukuze unciphise ubungozi bokungena ebucayini, kunconywa futhi ukuthi uguqule iphasiwedi emisiwe ("apc") kumadivayisi anekhadi le-NMC (Network Management Card) futhi ufake isitifiketi se-SSL esayiniwe ngokudijithali, kanye nokukhawulela ukufinyelela ku-UPS ku-firewall. kumakheli e-Schneider Electric Cloud kuphela.
Source: opennet.ru