SEVD-2022-067-02
Vulnerability from csaf_se - Published: 2022-03-08 06:30 - Updated: 2022-06-16 18:30Summary
APC Smart-UPS SMT, SMC, SMX, SCL, SRC, XU, XP, CSH2, SURTD, SMTL, SRT, and select SRTL Series
Notes
General Security Recommendations
We strongly recommend the following industry cybersecurity best practices.
https://www.se.com/us/en/download/document/7EN52-0390/
* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
* Place all controllers in locked cabinets and never leave them in the “Program” mode.
* Never connect programming software to any network other than the network intended for that device.
* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
For More Information
This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.
For further information related to cybersecurity in Schneider Electric’s products, visit the company’s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp
LEGAL DISCLAIMER
THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS “NOTIFICATION”) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION
About Schneider Electric
At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.
We provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.
We are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.
www.se.com
Overview
Schneider Electric is aware of the vulnerabilities associated with APC Smart-UPS uninterruptable power supply devices which, if compromised, may allow for potential unauthorized access and control of the device. Upon learning of these vulnerabilities, we worked diligently to develop remediations and mitigations, and disclose in a timely, responsible manner so that our customers and end-users can better protect their people, assets, and operations.
At Schneider Electric, the safety of our customers and products is our highest priority. We develop and manufacture our products to the highest safety standards in accordance with regulatory and industry guidelines. Our UPS products are compliant to these standards, ensuring they operate in a safe manner including conducting abnormal tests where components are intentionally faulted.
Our UPS units comply with industry safety standards including UL 1778, CSA 22.2 No. 107.3 in North America and IEC 62040-1 which references to generic standards CSA-C22.2 No. 60950-1 /UL 60950-1or IEC 60950-1 / IEC 62477-1.
We recommend that customers immediately install available firmware updates provided below, which include remediations to reduce the risk of successful exploitation of these vulnerabilities. In addition, customers should also immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from exploitation of these vulnerabilities. Where appropriate, this includes locating their systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; preventing mission-critical systems and devices from being accessed from outside networks. More information on recommended security practices can be found in the General Security Recommendations section below.
Please subscribe to the Schneider Electric security notification service to be informed of updates to this notification https://www.schneider-electric.com/en/work/support/cybersecurity/security-notifications.jsp
For additional information and support, please contact your Schneider Electric sales or service representative or Schneider Electric’s Customer Care Center.
November 2022 Update: SURTD series was removed from the affected products table after a further investigation concluded that it was not affected by CVE-2022-0715. SRTL series was added to the available remediation section. In addition, SMC/SMX/SMT series was added to the available remediation section and SRC series moved to separate remediation sections.
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "We strongly recommend the following industry cybersecurity best practices.\n\nhttps://www.se.com/us/en/download/document/7EN52-0390/\n* Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.\n* Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.\n* Place all controllers in locked cabinets and never leave them in the \u201cProgram\u201d mode.\n* Never connect programming software to any network other than the network intended for that device.\n* Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.\n* Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.\n* Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.\n* When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.\nFor more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document. \n",
"title": "General Security Recommendations"
},
{
"category": "general",
"text": "This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, contact your local Schneider Electric representative or Schneider Electric Industrial Cybersecurity Services: https://www.se.com/ww/en/work/solutions/cybersecurity/. These organizations will be fully aware of this situation and can support you through the process.\nFor further information related to cybersecurity in Schneider Electric\u2019s products, visit the company\u2019s cybersecurity support portal page: https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp",
"title": "For More Information"
},
{
"category": "legal_disclaimer",
"text": "THIS NOTIFICATION DOCUMENT, THE INFORMATION CONTAINED HEREIN, AND ANY MATERIALS LINKED FROM IT (COLLECTIVELY, THIS \u201cNOTIFICATION\u201d) ARE INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN \u201cAS-IS\u201d BASIS WITHOUT WARRANTY OR GUARANTEE OF ANY KIND. SCHNEIDER ELECTRIC DISCLAIMS ALL WARRANTIES RELATING TO THIS NOTIFICATION, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SCHNEIDER ELECTRIC MAKES NO WARRANTY THAT THE NOTIFICATION WILL RESOLVE THE IDENTIFIED SITUATION. IN NO EVENT SHALL SCHNEIDER ELECTRIC BE LIABLE FOR ANY DAMAGES OR LOSSES WHATSOEVER IN CONNECTION WITH THIS NOTIFICATION, INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS NOTIFICATION IS AT YOUR OWN RISK, AND YOU ARE SOLELY LIABLE FOR ANY DAMAGES TO YOUR SYSTEMS OR ASSETS OR OTHER LOSSES THAT MAY RESULT FROM YOUR USE OF THIS NOTIFICATION. SCHNEIDER ELECTRIC RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION",
"title": "LEGAL DISCLAIMER"
},
{
"category": "general",
"text": "At Schneider, we believe access to energy and digital is a basic human right. We empower all to do more with less, ensuring Life Is On everywhere, for everyone, at every moment.\n\nWe provide energy and automation digital solutions for efficiency and sustainability. We combine world-leading energy technologies, real-time automation, software and services into integrated solutions for Homes, Buildings, Data Centers, Infrastructure and Industries.\n\nWe are committed to unleash the infinite possibilities of an open, global, innovative community that is passionate with our Meaningful Purpose, Inclusive and Empowered values.\n\nwww.se.com ",
"title": "About Schneider Electric"
},
{
"category": "summary",
"text": "Schneider Electric is aware of the vulnerabilities associated with APC Smart-UPS uninterruptable power supply devices which, if compromised, may allow for potential unauthorized access and control of the device. Upon learning of these vulnerabilities, we worked diligently to develop remediations and mitigations, and disclose in a timely, responsible manner so that our customers and end-users can better protect their people, assets, and operations.\nAt Schneider Electric, the safety of our customers and products is our highest priority. We develop and manufacture our products to the highest safety standards in accordance with regulatory and industry guidelines. Our UPS products are compliant to these standards, ensuring they operate in a safe manner including conducting abnormal tests where components are intentionally faulted.\nOur UPS units comply with industry safety standards including UL 1778, CSA 22.2 No. 107.3 in North America and IEC 62040-1 which references to generic standards CSA-C22.2 No. 60950-1 /UL 60950-1or IEC 60950-1 / IEC 62477-1.\nWe recommend that customers immediately install available firmware updates provided below, which include remediations to reduce the risk of successful exploitation of these vulnerabilities. In addition, customers should also immediately ensure they have implemented cybersecurity best practices across their operations to protect themselves from exploitation of these vulnerabilities. Where appropriate, this includes locating their systems and remotely accessible devices behind firewalls; installing physical controls to prevent unauthorized access; preventing mission-critical systems and devices from being accessed from outside networks. More information on recommended security practices can be found in the General Security Recommendations section below.\nPlease subscribe to the Schneider Electric security notification service to be informed of updates to this notification https://www.schneider-electric.com/en/work/support/cybersecurity/security-notifications.jsp\nFor additional information and support, please contact your Schneider Electric sales or service representative or Schneider Electric\u2019s Customer Care Center.\nNovember 2022 Update: SURTD series was removed from the affected products table after a further investigation concluded that it was not affected by CVE-2022-0715. SRTL series was added to the available remediation section. In addition, SMC/SMX/SMT series was added to the available remediation section and SRC series moved to separate remediation sections.",
"title": "Overview"
}
],
"publisher": {
"category": "vendor",
"contact_details": "cybersecurity@se.com",
"name": "Schneider Electric CPCERT",
"namespace": "https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp"
},
"references": [
{
"category": "self",
"summary": "APC Smart-UPS SMT, SMC, SMX, SCL, SRC, XU, SMTL, SRT, and select SRTL Series - SEVD-2022-067-02 CSAF Version",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=sevd-2022-067-02.json"
},
{
"category": "self",
"summary": "APC Smart-UPS SMT, SMC, SMX, SCL, SRC, XU, SMTL, SRT, and select SRTL Series - SEVD-2022-067-02 PDF Version",
"url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-067-02\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2022-067-02_APC-Smart-UPS_Security_Notification.pdf"
},
{
"category": "external",
"summary": "Recommended Cybersecurity Best Practices",
"url": "https://www.se.com/us/en/download/document/7EN52-0390/"
}
],
"title": " APC Smart-UPS SMT, SMC, SMX, SCL, SRC, XU, XP, CSH2, SURTD, SMTL, SRT, and select SRTL Series",
"tracking": {
"current_release_date": "2022-06-16T18:30:00.000Z",
"generator": {
"date": "2022-11-17T15:47:42.500Z",
"engine": {
"name": "Secvisogram",
"version": "2.0.0"
}
},
"id": "SEVD-2022-067-02",
"initial_release_date": "2022-03-08T06:30:00.000Z",
"revision_history": [
{
"date": "2022-03-08T06:30:00.000Z",
"number": "1",
"summary": "Original Release"
},
{
"date": "2022-03-24T06:30:00.000Z",
"number": "2",
"summary": "Added SRTL series to affected products. Removed Smart-UPS series from available remediations section as only SmartConnect currently has available remediations."
},
{
"date": "2022-05-10T00:00:00.00Z",
"number": "3",
"summary": "Added SRC \u0026 XU series to affected products. Added SmartConnect SMTL, SCL, and SMX Series in available remediations section"
},
{
"date": "2022-06-14T18:30:00.000Z",
"number": "4",
"summary": "Added XP, SURTD, CHS2 series to affected products section and added Smart-UPS SCL and SRT Series in the available remediations section. Various changes were made to improve clarity."
},
{
"date": "2022-07-12T18:30:00.000Z",
"number": "5",
"summary": "SMT Series ID=1039: UPS 14.9 and prior and SMC Series ID=1041: UPS 14.9 and prior added to the Affected Products and Versions section (page 2). Added SRC and XU to the available remediations section (page 6). Various changes were made to improve clarity"
},
{
"date": "2022-08-19T06:30:00.000Z",
"number": "6",
"summary": "In the Affected Products and Versions section, new series IDs were added to SMT, SMC, and SMX. Added CSH2 to the available remediations sections. Added mitigations for products with the specified IDs that have been phased out and will not have firmware remediation."
},
{
"date": "2022-11-22T06:30:00.000Z",
"number": "7",
"summary": "SURTD series was removed from the affected products table after a further investigation concluded that it was not affected by CVE-2022-0715. SRTL series was added to the available remediation section. In addition, SMC/SMX/SMT series was added to the available remediation section and SRC series moved to separate remediation sections ."
}
],
"status": "final",
"version": "7"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMT Series ID= 14/17 versions UPS 14.9 and prior",
"product_id": "48"
}
}
],
"category": "product_name",
"name": "ID= 14/17"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMT Series ID= 20 versions UPS 14.9 and prior",
"product_id": "49"
}
}
],
"category": "product_name",
"name": "ID= 20"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMT Series ID= 1041 verions UPS 14.9 and prior",
"product_id": "50"
}
}
],
"category": "product_name",
"name": "ID= 1041"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMT Series ID=18 versions UPS 14.9 and prior",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "ID=18"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMT Series ID=1040 versions UPS 14.9 and prior",
"product_id": "2"
}
}
],
"category": "product_name",
"name": "ID=1040"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMT Series ID=1031 verssions UPS 14.9 and prior",
"product_id": "3"
}
}
],
"category": "product_name",
"name": "ID=1031"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMT Series ID = 1039 \u003c=UPS 14.9",
"product_id": "42"
}
}
],
"category": "product_name",
"name": "ID = 1039"
}
],
"category": "product_family",
"name": "SMT Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMC Series ID=1000 \u003c=UPS 14.9",
"product_id": "51"
}
}
],
"category": "product_name",
"name": "ID=1000"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMC Series ID=1005 \u003c=UPS 14.9",
"product_id": "4"
}
}
],
"category": "product_name",
"name": "ID=1005"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMC Series ID=1007 \u003c=UPS 14.9",
"product_id": "5"
}
}
],
"category": "product_name",
"name": "ID=1007"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMC Series ID = 1008 \u003c=UPS 14.9",
"product_id": "43"
}
}
],
"category": "product_name",
"name": "ID = 1008"
}
],
"category": "product_family",
"name": "SMC Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SCL Series ID=1036 \u003c=UPS 14.9",
"product_id": "6"
}
}
],
"category": "product_name",
"name": "ID=1036"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SCL Series ID=1029 \u003c=UPS 14.9",
"product_id": "7"
}
}
],
"category": "product_name",
"name": "ID=1029"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SCL Series ID=1037 \u003c=UPS 14.9",
"product_id": "8"
}
}
],
"category": "product_name",
"name": "ID=1037"
}
],
"category": "product_family",
"name": "SCL Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMX Series ID=10/11 \u003c=UPS 14.9",
"product_id": "52"
}
}
],
"category": "product_name",
"name": "ID=10/11"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMX Series ID=1012 \u003c=UPS 14.9",
"product_id": "53"
}
}
],
"category": "product_name",
"name": "ID=1012"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMX Series ID=20 \u003c=UPS 14.9",
"product_id": "9"
}
}
],
"category": "product_name",
"name": "ID=20"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMX Series ID=23 \u003c=UPS 14.9",
"product_id": "10"
}
}
],
"category": "product_name",
"name": "ID=23"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMX Series ID=1023 \u003c=UPS 14.9",
"product_id": "11"
}
}
],
"category": "product_name",
"name": "ID=1023"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMX Series ID=1003 \u003c=UPS 14.9",
"product_id": "12"
}
}
],
"category": "product_name",
"name": "ID=1003"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SMX Series ID=1031 \u003c=UPS 14.9",
"product_id": "54"
}
}
],
"category": "product_name",
"name": "ID=1031"
}
],
"category": "product_family",
"name": "SMX Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRT Series ID=1010 \u003c=UPS 14.9",
"product_id": "13"
}
}
],
"category": "product_name",
"name": "ID=1010"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRT Series ID=1019 \u003c=UPS 14.9",
"product_id": "14"
}
}
],
"category": "product_name",
"name": "ID=1019"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRT Series ID=1025 \u003c=UPS 14.9",
"product_id": "15"
}
}
],
"category": "product_name",
"name": "ID=1025"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRT Series ID=1020 \u003c=UPS 14.9",
"product_id": "16"
}
}
],
"category": "product_name",
"name": "ID=1020"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRT Series ID=1021 \u003c=UPS 14.9",
"product_id": "17"
}
}
],
"category": "product_name",
"name": "ID=1021"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRT Series ID=1001 \u003c=UPS 14.9",
"product_id": "18"
}
}
],
"category": "product_name",
"name": "ID=1001"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRT Series ID=1013 \u003c=UPS 14.9",
"product_id": "19"
}
}
],
"category": "product_name",
"name": "ID=1013"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRT Series ID=1002 \u003c=UPS 14.9",
"product_id": "20"
}
}
],
"category": "product_name",
"name": "ID=1002"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRT Series ID=1014 \u003c=UPS 14.9",
"product_id": "21"
}
}
],
"category": "product_name",
"name": "ID=1014"
}
],
"category": "product_family",
"name": "SRT Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRTL Series SMT Series ID=1024 \u003c=UPS 14.9",
"product_id": "22",
"product_identification_helper": {
"model_numbers": [
"SRTL1000RMXLI",
"SRTL1000RMXLI-NC",
"SRTL1500RMXLI",
"SRTL1500RMXLI-NC",
"SRTL2200RMXLI",
"SRTL2200RMXLI-NC",
"SRTL3000RMXLI",
"SRTL3000RMXLI-NC"
]
}
}
}
],
"category": "product_name",
"name": "ID=1024"
}
],
"category": "product_family",
"name": "SRTL Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 13.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRC Series ID=1004 \u003c=UPS 13.9",
"product_id": "23"
}
}
],
"category": "product_name",
"name": "ID=1004"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 13.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRC Series ID=1006 \u003c=UPS 13.9",
"product_id": "24"
}
}
],
"category": "product_name",
"name": "ID=1006"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 13.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SRC Series ID=1011 \u003c=UPS 13.9",
"product_id": "25"
}
}
],
"category": "product_name",
"name": "ID=1011"
}
],
"category": "product_family",
"name": "SRC Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 02.6",
"product": {
"name": "Schneider Electric Smart-UPS Family XU Series ID=1017 \u003c=UPS 02.6",
"product_id": "26"
}
}
],
"category": "product_name",
"name": "ID=1017"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family XU Series ID=1017 \u003c=UPS 02.6",
"product_id": "55"
}
}
],
"category": "product_name",
"name": "ID=1025"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 00.3",
"product": {
"name": "Schneider Electric Smart-UPS Family XU Series ID=1033 \u003c=UPS 00.3",
"product_id": "27"
}
}
],
"category": "product_name",
"name": "ID=1033"
}
],
"category": "product_family",
"name": "XU Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 02.3",
"product": {
"name": "Schneider Electric Smart-UPS Family XP Series ID=1016 \u003c=UPS 02.3",
"product_id": "28"
}
}
],
"category": "product_name",
"name": "ID=1016"
}
],
"category": "product_family",
"name": "XP Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family CHS2 Series ID=5008 \u003c=UPS 14.9",
"product_id": "29"
}
}
],
"category": "product_name",
"name": "ID=5008"
}
],
"category": "product_family",
"name": "CHS2 Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SURTD Series ID=5 \u003c=UPS 02.6",
"product_id": "30"
}
}
],
"category": "product_name",
"name": "ID=5"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric Smart-UPS Family SURTD Series ID=9 \u003c=UPS 00.3",
"product_id": "31"
}
}
],
"category": "product_name",
"name": "ID=9"
}
],
"category": "product_family",
"name": "SURTD Series"
},
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 04.5",
"product": {
"name": "Schneider Electric SmartConnect Family SMT Series ID=1015 \u003c=UPS 04.5",
"product_id": "32"
}
},
{
"category": "product_version",
"name": "UPS 04.6",
"product": {
"name": "Schneider Electric SmartConnect Family SMT Series ID=1015 UPS 04.6",
"product_id": "33"
}
}
],
"category": "product_name",
"name": "ID=1015"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric SmartConnect Family SMT Series ID=1031 \u003c=UPS 14.9",
"product_id": "38"
}
},
{
"category": "product_version",
"name": "UPS 04.6",
"product": {
"name": "Schneider Electric SmartConnect Family SMT Series ID=1031 UPS 04.6",
"product_id": "39"
}
}
],
"category": "product_name",
"name": "ID=1031"
}
],
"category": "product_family",
"name": "SMT Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 04.2",
"product": {
"name": "Schneider Electric SmartConnect Family SMC Series ID=1018 \u003c=UPS 04.2",
"product_id": "34"
}
},
{
"category": "product_version",
"name": "UPS 04.3",
"product": {
"name": "Schneider Electric SmartConnect Family SMC Series ID=1018 UPS 04.3",
"product_id": "35"
}
}
],
"category": "product_name",
"name": "ID=1018"
}
],
"category": "product_family",
"name": "SMC Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric SmartConnect Family SMTL Series ID=1026 \u003c=UPS 14.9",
"product_id": "36"
}
},
{
"category": "product_version",
"name": "UPS 15.0",
"product": {
"name": "Schneider Electric SmartConnect Family SMTL Series ID=1026 UPS 15.0",
"product_id": "37"
}
}
],
"category": "product_name",
"name": "ID=1026"
}
],
"category": "product_family",
"name": "SMTL Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric SmartConnect Family SCL Series ID=1030 \u003c=UPS 14.9",
"product_id": "40"
}
},
{
"category": "product_version",
"name": "UPS 15.0",
"product": {
"name": "Schneider Electric SmartConnect Family SCL Series ID=1030 UPS 15.0",
"product_id": "41"
}
}
],
"category": "product_name",
"name": "ID=1030"
}
],
"category": "product_family",
"name": "SCL Series"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=UPS 14.9",
"product": {
"name": "Schneider Electric SmartConnect Family SMX Series ID=1031 \u003c=UPS 14.9",
"product_id": "46"
}
},
{
"category": "product_version",
"name": "UPS 15.0",
"product": {
"name": "Schneider Electric SmartConnect Family SMX Series ID=1031 UPS 15.0",
"product_id": "47"
}
}
],
"category": "product_name",
"name": "ID=1031"
}
],
"category": "product_family",
"name": "SMX Series"
}
],
"category": "product_family",
"name": "SmartConnect Family"
}
],
"category": "product_family",
"name": "Smart-UPS Family"
}
],
"category": "vendor",
"name": "Schneider Electric"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Gal Levy"
],
"organization": "Armis"
}
],
"cve": "CVE-2022-22805",
"cwe": {
"id": "CWE-120",
"name": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)"
},
"notes": [
{
"category": "description",
"text": "A CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027) vulnerability exists that could cause remote code execution when an improperly handled TLS packet is reassembled.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"33",
"35",
"37",
"39",
"41",
"47"
],
"known_affected": [
"32",
"34",
"36",
"38",
"40",
"46"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Firmware Version UPS 04.6 (SMT series), Version UPS 15.0 (SMTL, SCL, SMX series) and Version UPS 04.3 (SMC series) includes a partial remediation for CVE-2022-0715, which will reduce the risk of successful exploitation, for the Smart-UPS SMT and SMC series and a fix for CVE-2022-22805 and CVE-2022-22806 for the SmartConnect UPS SMT, SMTL, SCL, SMX series and SMC series.There are three ways to apply this remediation: 1. For units connected to the SmartConnect Portal, new firmware will become available automatically. Follow prompts via the portal or display to install new firmware. 2. For units not connected to the SmartConnect Portal, use the Firmware Upgrade Wizard to install the new firmware. 3. For those devices which include a NMC, it can be used to remotely update the firmware of the UPS. When downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.Note: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature. To verify new firmware version post-installation: Go to the About screen on local display, the SmartConnect portal, or on the NMC and confirm that the UPS firmware Revision is UPS 04.6 (SMT series) and UPS 04.3 (SMC series)In addition to the remediations above, customers should immediately apply the General Security Recommendations provided below to reduce the risk of exploit. ",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"32",
"34",
"42",
"43",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"36",
"40",
"46"
]
},
{
"category": "vendor_fix",
"details": "Firmware Version UPS 04.6 (SMT series) and Version UPS 04.3 (SMC series) includes a partial remediation for CVE-2022-0715, which will reduce the risk of successful exploitation, for the Smart-UPS SMT and SMC series and a fix for CVE-2022-22805 and CVE-2022-22806 for the SmartConnect UPS SMT and SMC series.\nThere are three ways to apply this remediation:\n1. For units connected to the SmartConnect Portal, new firmware will become available automatically. Follow prompts via the portal or display to install new firmware.\n2. For units not connected to the SmartConnect Portal, use the Firmware Upgrade Wizard to install the new firmware.\n3. For those devices which include a NMC, it can be used to remotely update the firmware of the UPS.\nWhen downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.\nNote: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature.\nTo verify new firmware version post-installation: Go to the About screen on local display, the SmartConnect portal, or on the NMC and confirm that the UPS firmware Revision is UPS 04.6 (SMT series) and UPS 04.3 (SMC series)\nIn addition to the remediations above, customers should immediately apply the General Security Recommendations provided below to reduce the risk of exploit.",
"product_ids": [
"32",
"34"
]
},
{
"category": "vendor_fix",
"details": "Firmware Version UPS 15.0 includes a partial remediation for CVE-2022-0715, which will reduce the risk of successful exploitation and a fix for CVE-2022-22805 and CVE-2022-22806 for the SmartConnect UPS SMTL, SCL and SMX series.\nThere are three ways to apply this remediation:\n1. For units connected to the SmartConnect Portal, new firmware will become available automatically. Follow prompts via the portal or display to install new firmware.\n2. For units not connected to the SmartConnect Portal, use the Firmware Upgrade Wizard to install the new firmware.\n3. For those devices which include a NMC, it can be used to remotely update the firmware of the UPS.\nWhen downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.\nNote: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature.\nTo verify new firmware version post-installation: Go to the About screen on local display, the SmartConnect portal, or on the NMC and confirm that the UPS firmware Revision is UPS 15.0. In addition to the remediations above, customers should immediately apply the General Security Recommendations provided below to reduce the risk of exploit.",
"product_ids": [
"40",
"36",
"46"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"32",
"34",
"36",
"38",
"40",
"46"
]
}
],
"title": "CVE-2022-22805"
},
{
"acknowledgments": [
{
"names": [
"Gal Levy"
],
"organization": "Armis"
}
],
"cve": "CVE-2022-22806",
"cwe": {
"id": "CWE-294",
"name": "Authentication Bypass by Capture-replay"
},
"notes": [
{
"category": "description",
"text": "A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause an unauthenticated connection to the UPS when a malformed connection is sent.",
"title": "CVE Description"
}
],
"product_status": {
"fixed": [
"33",
"35",
"37",
"39",
"41",
"47"
],
"known_affected": [
"32",
"34",
"36",
"38",
"40",
"46"
]
},
"remediations": [
{
"category": "vendor_fix",
"details": "Firmware Version UPS 04.6 (SMT series), Version UPS 15.0 (SMTL, SCL, SMX series) and Version UPS 04.3 (SMC series) includes a partial remediation for CVE-2022-0715, which will reduce the risk of successful exploitation, for the Smart-UPS SMT and SMC series and a fix for CVE-2022-22805 and CVE-2022-22806 for the SmartConnect UPS SMT, SMTL, SCL, SMX series and SMC series.There are three ways to apply this remediation: 1. For units connected to the SmartConnect Portal, new firmware will become available automatically. Follow prompts via the portal or display to install new firmware. 2. For units not connected to the SmartConnect Portal, use the Firmware Upgrade Wizard to install the new firmware. 3. For those devices which include a NMC, it can be used to remotely update the firmware of the UPS. When downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.Note: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature. To verify new firmware version post-installation: Go to the About screen on local display, the SmartConnect portal, or on the NMC and confirm that the UPS firmware Revision is UPS 04.6 (SMT series) and UPS 04.3 (SMC series)In addition to the remediations above, customers should immediately apply the General Security Recommendations provided below to reduce the risk of exploit. ",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"32",
"34",
"42",
"43",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"36",
"40",
"46"
]
},
{
"category": "vendor_fix",
"details": "Firmware Version UPS 04.6 (SMT series) and Version UPS 04.3 (SMC series) includes a partial remediation for CVE-2022-0715, which will reduce the risk of successful exploitation, for the Smart-UPS SMT and SMC series and a fix for CVE-2022-22805 and CVE-2022-22806 for the SmartConnect UPS SMT and SMC series.\nThere are three ways to apply this remediation:\n1. For units connected to the SmartConnect Portal, new firmware will become available automatically. Follow prompts via the portal or display to install new firmware.\n2. For units not connected to the SmartConnect Portal, use the Firmware Upgrade Wizard to install the new firmware.\n3. For those devices which include a NMC, it can be used to remotely update the firmware of the UPS.\nWhen downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.\nNote: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature.\nTo verify new firmware version post-installation: Go to the About screen on local display, the SmartConnect portal, or on the NMC and confirm that the UPS firmware Revision is UPS 04.6 (SMT series) and UPS 04.3 (SMC series)\nIn addition to the remediations above, customers should immediately apply the General Security Recommendations provided below to reduce the risk of exploit.",
"product_ids": [
"32",
"34"
]
},
{
"category": "vendor_fix",
"details": "Firmware Version UPS 15.0 includes a partial remediation for CVE-2022-0715, which will reduce the risk of successful exploitation and a fix for CVE-2022-22805 and CVE-2022-22806 for the SmartConnect UPS SMTL, SCL and SMX series.\nThere are three ways to apply this remediation:\n1. For units connected to the SmartConnect Portal, new firmware will become available automatically. Follow prompts via the portal or display to install new firmware.\n2. For units not connected to the SmartConnect Portal, use the Firmware Upgrade Wizard to install the new firmware.\n3. For those devices which include a NMC, it can be used to remotely update the firmware of the UPS.\nWhen downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.\nNote: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature.\nTo verify new firmware version post-installation: Go to the About screen on local display, the SmartConnect portal, or on the NMC and confirm that the UPS firmware Revision is UPS 15.0. In addition to the remediations above, customers should immediately apply the General Security Recommendations provided below to reduce the risk of exploit.",
"product_ids": [
"40",
"36",
"46"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"32",
"34",
"36",
"38",
"40",
"46"
]
}
],
"title": "CVE-2022-22806"
},
{
"acknowledgments": [
{
"names": [
"Gal Levy"
],
"organization": "Armis"
}
],
"cve": "CVE-2022-0715",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "description",
"text": "A CWE-287: Improper Authentication vulnerability exists that could cause an attacker to arbitrarily change the behavior of the UPS if a key is leaked and used to upload malicious firmware.",
"title": "CVE Description"
},
{
"category": "details",
"text": "For Connected Devices:\nCVSS v3.1 Base Score 8.9 | High | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H\nFor Non-Connected Devices:\nCVSS v3.1 Base Score 6.9 | Medium | CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H",
"title": "CVE Details"
}
],
"product_status": {
"known_affected": [
"1",
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"25",
"26",
"27",
"28",
"29",
"3",
"32",
"33",
"34",
"36",
"38",
"4",
"40",
"41",
"42",
"43",
"46",
"5",
"51",
"52",
"53",
"54",
"6",
"7",
"8",
"9",
"48",
"24",
"2"
],
"recommended": [
"33",
"35",
"37",
"39",
"41",
"47"
]
},
"remediations": [
{
"category": "mitigation",
"details": "Firmware Version UPS 04.6 (SMT series), Version UPS 15.0 (SMTL, SCL, SMX series) and Version UPS 04.3 (SMC series) includes a partial remediation for CVE-2022-0715, which will reduce the risk of successful exploitation, for the Smart-UPS SMT and SMC series and a fix for CVE-2022-22805 and CVE-2022-22806 for the SmartConnect UPS SMT, SMTL, SCL, SMX series and SMC series.There are three ways to apply this remediation: 1. For units connected to the SmartConnect Portal, new firmware will become available automatically. Follow prompts via the portal or display to install new firmware. 2. For units not connected to the SmartConnect Portal, use the Firmware Upgrade Wizard to install the new firmware. 3. For those devices which include a NMC, it can be used to remotely update the firmware of the UPS. When downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.Note: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature. To verify new firmware version post-installation: Go to the About screen on local display, the SmartConnect portal, or on the NMC and confirm that the UPS firmware Revision is UPS 04.6 (SMT series) and UPS 04.3 (SMC series)In addition to the remediations above, customers should immediately apply the General Security Recommendations provided below to reduce the risk of exploit. ",
"product_ids": [
"1",
"2",
"3",
"4",
"5",
"32",
"34",
"42",
"43",
"6",
"7",
"8",
"9",
"10",
"11",
"12",
"36",
"40",
"46"
]
},
{
"category": "mitigation",
"details": "Firmware Version UPS 15.0 (SRT, SRTL, CSH2, \u0026 XU series) and Firmware Version UPS 15.1 (SCL series) includes a partial remediation for CVE-2022-0715, which will reduce the risk of successful exploitation for the Smart-UPS SCL, SRTL, CSH2, XU, and SRT series.There are two ways to apply this remediation: 1. For all units, use the Firmware Upgrade Wizard t o install the new firmware. 2. For those devices which include a NMC, it can be used to remotely update the firmware of the UPS. When downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.Note: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature. To verify new firmware version post-installation: Go to the About screen on local display, or on the NMC and confirm that the UPS firmware Revision is UPS 15.0. In addition to the remediations above, customers should immediately apply the General Security Recommendations provided below to reduce the risk of exploit. ",
"product_ids": [
"40",
"41",
"6",
"7",
"8",
"13",
"26",
"27",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"29"
]
},
{
"category": "mitigation",
"details": "Firmware Version UPS 15.0 (SRC) includes a partial remediation for CVE-2022-0715, which will reduce the risk of successful exploitation for the Smart-UPS SRC series.There are two ways to apply this remediation: 1. For all units, use the Firmware Upgrade Wizard to install the new firmware. 2. For those devices which include a NMC, it can be used to remotely update the firmware of the UPS. When downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.Note: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature. To verify new firmware version post-installation: Go to the About screen on local display, or on the NMC and confirm that the UPS firmware Revision is UPS 15.0. In addition to the remediations above, customers should immediately apply the General Security Recommendations provided below to reduce the risk of exploit.",
"product_ids": [
"24",
"25"
]
},
{
"category": "mitigation",
"details": "Firmware Version UPS 15.0 (SMT, SMC, SMX, XP series) includes a partial remediation for CVE-2022-0715, which will reduce the risk of successful exploitation for the Smart-UPS SMT, SMC, SMX, XP series. There are two ways to apply this remediation: 1. For all units, use the Firmware Upgrade Wizard to install the new firmware. 2. For those devices which include a NMC, it can be used to remotely update the firmware of the UPS. When downloading updates, only download from the official Schneider Electric sources above and ensure that hashes are verified before installation.Note: After the firmware is installed, the unit will lose the capability to install future firmware via the NMC. All other methods of firmware update will continue to be available. A future firmware update will be released to re-enable this feature. To verify new firmware version post-installation: Go to the About screen on local display, or on the NMC and confirm that the UPS firmware Revision is UPS 15.0. In addition to the remediations above, customers should immediately apply the General Security Recommendations provided below to reduce the risk of exploit. ",
"product_ids": [
"32",
"33",
"38",
"51",
"4",
"5",
"43",
"52",
"53",
"1",
"10",
"11",
"12",
"54",
"28"
]
},
{
"category": "no_fix_planned",
"details": "UPS models from these series with the specified IDs have been phased out and firmware remediation is not available for them. To reduce the risk of exploit, customers should continue to follow the General Security Recommendations.To remediate the vulnerabilities, we recommend that you replace UPS models with the specified IDs with a newer version of a similar model. If you have questions about which model you should procure, please reach out to your account manager or refer to the UPS Selector and Product Substitution \u0026 Replacements tools at www.apc.com.",
"product_ids": [
"48",
"43",
"51",
"52",
"53",
"23"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"10",
"11",
"12",
"13",
"14",
"15",
"16",
"17",
"18",
"19",
"20",
"21",
"22",
"23",
"25",
"26",
"27",
"28",
"29",
"3",
"32",
"33",
"34",
"36",
"38",
"4",
"40",
"41",
"42",
"43",
"46",
"5",
"51",
"52",
"53",
"54",
"6",
"7",
"8",
"9",
"48",
"24",
"2"
]
},
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2022-0715"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…