TLStorm vulnerabilities

For a list of impacted products and remediations, please refer to Schneider Electric's security bulletin which contains the most up to date information:
https://www.se.com/ww/en/download/document/SEVD-2022-067-02/

Based on the current information and analysis available, the EcoStruxure IT Gateway is not impacted by the TLStorm vulnerabilities.

CVE-2022-22806 and CVE-2022-22805 

The IT Gateway uses a different TLS implementation than the affected UPSs. These vulnerabilities have not been discovered in that toolchain.

CVE-2022-0715

The EcoStruxure IT Gateway uses different authentication mechanisms and does not have user installable firmware like a UPS.

The IT Gateway does facilitate firmware updates to the NMC on the UPS, via the secure EcoStruxure IT Expert cloud application only, using officially released firmware packages.  It does not have the ability to update the firmware on the UPS itself.

IT Expert Device Security assessment

The Device Security assessment in IT Expert includes a TLStorm analysis.

For the most accurate device analysis, be sure to keep your APC Network Management Card (NMC) firmware up to date and your Gateway updated to the latest version.