I-TLStorm: Ubuthathaka obuThathu obuBalulekileyo obuchaphazela izixhobo ze-APC Smart-UPS

Abaphandi bokhuseleko beArmis kutshanje babhengeze ukuba baye bafumanisa izinto ezintathu ezibuthathaka kunikezelo lwamandla olungaphazamisekiyo olulawulwayo APC evumela ulawulo olukude kunye nokuguqulwa kwesixhobo, esifana nokucima amazibuko athile okanye ukusisebenzisa ukwenza uhlaselo kwezinye iinkqubo.

Ukuba sesichengeni zibizwa ngokuba yi-TLStorm kwaye ichaphazele i-APC Smart-UPS (i-SCL, i-SMX, i-SRT series) kunye ne-SmartConnect (i-SMT, i-SMTL, i-SCL, kunye ne-SMX series).

Unikezelo lwamandla olungaphazamisekiyo (i-UPS) lubonelela ngamandla okhuseleko olungxamisekileyo kwii-asethi ezibalulekileyo zemishini kwaye zinokufumaneka kumaziko edatha, amaziko oshishino, izibhedlele kunye nokunye.

I-APC yinxalenye yeSchneider Electric kwaye yenye yababoneleli abaphambili bezixhobo ze-UPS ezinezixhobo ezingaphezulu kwezigidi ezingama-20 ezithengiswa kwihlabathi liphela. Ukuba buxhatshaziwe, obu buthathaka, obubizwa ngokuba yi-TLStorm, buvumela ukuthatyathwa ngokupheleleyo kwezixhobo ze-Smart-UPS kunye nokukwazi ukwenza uhlaselo olugqithisileyo lwe-cyber-physical. Ngokwedatha ye-Armis, phantse iinkampani ezisi-8 kwezili-10 zisesichengeni se-TLStorm. Esi sithuba seblogi sibonelela ngombono ophakamileyo wolu phando kunye neziphumo zalo.

Kwiposti yeblogi kukhankanyiwe ukuba ezimbini zobuthathaka zibangelwa bugs ekuphunyezweni komgaqo we TLS kwizixhobo ezilawulwa ngeSchneider Electrical cloud service.

Los Izixhobo zothotho lweSmartConnect ziqhagamshela ngokuzenzekelayo kwinkonzo yelifu ibekwe embindini xa uqala okanye ulahlekelwa unxibelelwano kunye umhlaseli ongagunyaziswanga unokuxhaphaza ubuthathaka kwaye afumane ulawulo iyonke kwisixhobo ngokuthumela iipakethe eziyilwe ngokukodwa kwi-UPS.

  • I-CVE-2022-22805: I-Buffer ephuphumayo kwikhowudi yokuhlanganisa kwakhona ipakethe isetyenziswe xa kusetyenzwa uqhagamshelo olungenayo. Lo mba ubangelwa kukugcina idatha ngexesha lokusetyenzwa kweerekhodi eziqhekeziweyo ze-TLS. Ukuxhaphazwa kobuthathaka kuququzelelwa ukuphathwa kwempazamo engafanelekanga xa usebenzisa ilayibrari ye-Mocana nanoSSL: emva kokubuyisela impazamo, uxhulumaniso aluvalwanga.
  • I-CVE-2022-22806: Ukuqinisekiswa kokudlula xa kusekwa iseshoni ye-TLS ebangelwa yimpazamo yombuso ngexesha lothethathethwano loqhagamshelwano. Ukugcina iqhosha elingabonakaliyo le-TLS elingabonakaliyo kunye nokungahoywa kwekhowudi yephutha ebuyiselwe yilayibrari ye-Mocana nanoSSL xa ipakethe eneqhosha elingenanto ifunyenwe yenza ukuba kube lula ukulinganisa ukuba yi-Schneider Electric server ngaphandle kokudlula ukuqinisekiswa kunye nenqanaba lokutshintshiselana okungundoqo.

Ubungozi besithathu (I-CVE-2022-0715) idityaniswe nokuphunyezwa okungalunganga koqinisekiso lwe-firmware ikhutshelwe uhlaziyo kwaye ivumela umhlaseli ukuba afake i-firmware elungisiweyo ngaphandle kokuqinisekisa utyikityo lwedijithali (kwaye kwavela ukuba utyikityo lwedijithali aluqinisekiswanga kwi-firmware konke konke, kodwa uguqulelo lwe-symmetric kuphela lusetyenziswa kunye nesitshixo esichazwe ngaphambili kwi-firmware).

Idityaniswe ne-CVE-2022-22805 sesichengeni, umhlaseli unokuthatha indawo ye-firmware. ukude ngokuzenza iSchneider Electric cloud service okanye ngokuqalisa uhlaziyo olusuka kwinethiwekhi yendawo.

Ukusetyenziswa kakubi kweziphene kwiindlela zohlaziyo lwe-firmware kuya kuba yinto eqhelekileyo kwii-APTs, njengoko kuchaziwe kutshanje kuhlalutyo lwe-malware ye-Cyclops Blink, kwaye i-firmware yesixhobo esifakwe ngokungekho sikweni sisiphako esiqhubekayo kwiinkqubo ezininzi. Ubuthathaka obudlulileyo obufunyenwe yi-Armis kwiinkqubo ze-Swisslog PTS (PwnedPiper, CVE-2021-37160) yaba sisiphumo sohlobo olufanayo lwempazamo.

Ukufumana ukufikelela kwi-UPS, umhlaseli unokutshala i-backdoor okanye ikhowudi ekhohlakeleyo kwisixhobo, kunye nokwenza i-sabotage kunye nokucima amandla abathengi abalulekileyo, umzekelo, ukucima amandla eenkqubo zokucupha ividiyo kwiibhanki okanye inkxaso yobomi. .

USchneider Electric ulungiselele iipetshi zokusombulula iingxaki kwaye ilungiselela uhlaziyo lwe-firmware. Ukunciphisa umngcipheko wokuchasana, kuyacetyiswa ukuba utshintshe igama eligqithisiweyo elingagqibekanga ("apc") kwizixhobo ezine-NMC (iKhadi loLawulo lweNethiwekhi) kwaye ufake isatifikethi se-SSL esayiniweyo ngedijithali, kunye nokukhawulela ukufikelela kwi-UPS kwi-firewall kuphela. kwiidilesi kwilifu leSchneider Electric.

Gqibela Ukuba unomdla wokwazi okungakumbi ngayo, ungajonga iinkcukacha kwi ukulandela ikhonkco.


Umxholo wenqaku uyabambelela kwimigaqo yethu imigaqo yokuziphatha yokuhlela. Ukuxela impazamo cofa apha.

Yiba ngowokuqala ukuphawula

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa.

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.