Tawagar masu bincike daga Jami'ar Tsinghua (China) da Jami'ar George Mason (Amurka) sun bayyana rashin lafiya (CVE-2022-25667) a cikin wuraren shiga mara waya wanda ke ba da damar kai hare-hare na mutum-in-tsakiyar (MITM) akan cibiyoyin sadarwa mara waya da aka kulla tare da WPA, WPA2, da WPA3. Ta hanyar sarrafa fakitin ICMP tare da tuta ta "juyar da kai", mai hari zai iya tura zirga-zirgar wanda aka azabtar a cikin hanyar sadarwar mara waya ta hanyar nasu tsarin, wanda za'a iya amfani da shi don shiga tsakani da ɓoye zaman da ba a ɓoye ba (misali, buƙatun zuwa gidajen yanar gizo marasa HTTPS).
Rashin lahanin yana faruwa ne sakamakon rashin ingantaccen tacewa don saƙon ICMP mara kyau tare da adireshi na jabu (spoofing) a cikin sassan sarrafa hanyar sadarwa (NPUs), waɗanda ke yin ƙaramin sarrafa fakiti a cibiyoyin sadarwa mara waya. Daga cikin wasu abubuwa, NPUs sun tura fakitin ICMP masu zube tare da tuta ta "juyar da kai" ba tare da cak ba. Ana iya amfani da waɗannan fakitin don gyara sigogin tebur na tuƙi a ƙarshen wanda aka azabtar. Harin ya ƙunshi aika fakitin ICMP a madadin wurin shiga tare da tuta ta "juyar da kai" da ƙayyadaddun bayanai masu ɓarna a cikin fakitin rubutun. Saboda raunin da ya faru, ana isar da saƙon ta wurin shiga kuma ana sarrafa shi ta hanyar cibiyar sadarwar wanda aka azabtar, wanda ya yi imanin cewa sakon ya samo asali ne daga wurin shiga.
Bugu da ƙari, masu binciken sun ba da shawarar wata hanya don ƙetare fakitin ICMP tare da tuta ta "juyar da kai" a kan mai amfani na ƙarshe da kuma canza tebur ɗin su. Don kewaya tacewa, maharin ya fara tantance tashar tashar UDP mai aiki a ƙarshen wanda aka azabtar. Yayin da suke kan hanyar sadarwa mara waya iri ɗaya, maharin na iya katse zirga-zirgar ababen hawa amma ba zai iya warware shi ba saboda ba su san maɓallin zaman da wanda abin ya shafa ke amfani da shi ba lokacin shiga wurin shiga. Koyaya, ta hanyar aika fakitin bincike zuwa ga wanda aka azabtar, maharin na iya tantance tashar tashar UDP mai aiki bisa nazarin martanin ICMP masu shigowa tare da tuta "Manufar da ba a iya kaiwa". Maharin sai ya ƙera saƙon ICMP tare da tuta ta "juyar da kai" da jabun rubutun UDP da ke nuna tashar tashar UDP da aka gano. Sarrafa wannan saƙon yana lalata tebur ɗin tuƙi akan tsarin wanda aka azabtar kuma yana karkatar da zirga-zirgar ababen hawa, da yuwuwar kutsawa cikin saƙon rubutu a layin haɗin bayanai.
An tabbatar da batun a wuraren samun dama ta amfani da kwakwalwan kwamfuta na HiSilicon da Qualcomm. Nazarin nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan nau'ikan iri guda 10 (Cisco, NetGear, Xiaomi, Mercury, 360, Huawei, TP-Link, H3C, Tenda, da Ruijie) ya nuna cewa duk suna da rauni kuma ba su toshe fakitin ICMP na jabu ba. Bugu da ƙari, nazarin cibiyoyin sadarwa mara waya guda 122 da ke akwai sun nuna yuwuwar harin a cikin cibiyoyin sadarwa 109 (89%).
Don yin amfani da waɗannan lahani, dole ne maharin ya sami halaltacciyar hanyar sadarwa zuwa cibiyar sadarwar Wi-Fi, watau sanin bayanan shiga cibiyar sadarwar mara waya (waɗannan raunin suna ba da damar ƙetare hanyoyin raba hanyoyin zirga-zirgar WPA* a cikin hanyar sadarwar). Ba kamar hare-haren MITM na al'ada a kan cibiyoyin sadarwa mara waya ba, ta amfani da dabarun fakiti na ICMP, mai hari zai iya guje wa tura wurin shiga damfara don katse zirga-zirga kuma a maimakon haka ya yi amfani da halaltattun wuraren samun damar yin amfani da hanyar sadarwa don tura fakiti na ICMP na musamman ga wanda abin ya shafa.
source: budenet.ru
