An gano rauni a cikin na'urorin Netgear wanda ke ba ku damar aiwatar da lambar ku tare da haƙƙin tushen ba tare da tantancewa ba ta hanyar magudi a cikin hanyar sadarwar waje a gefen haɗin WAN. An tabbatar da raunin a cikin R6900P, R7000P, R7960P da R8000P mara igiyar waya, da kuma a cikin na'urorin cibiyar sadarwa na MR60 da MS60. Netgear ya riga ya fitar da sabuntawar firmware wanda ke gyara raunin.
Rashin lahani yana faruwa ne ta hanyar tari mai yawa a cikin tsarin baya aws_json (/tmp/media/nand/router-analytics/aws_json) lokacin da ake tantance bayanai a tsarin JSON da aka samu bayan aika buƙatu zuwa sabis na gidan yanar gizo na waje (https://devicelocation. ngxcld.com/device -location/resolve) da ake amfani dashi don tantance wurin na'urar. Don kai hari, kuna buƙatar sanya fayil ɗin da aka ƙera na musamman a cikin tsarin JSON akan sabar gidan yanar gizon ku kuma ku tilasta wa na'ura mai ba da hanya tsakanin hanyoyin sadarwa ya loda wannan fayil, misali, ta hanyar zazzagewar DNS ko tura buƙatu zuwa kumburin wucewa (kana buƙatar kutsa kai tsaye a cikin sabar yanar gizo). buqatar mai masaukin kayan aikilocation.ngxcld.com da aka yi lokacin da na'urar ta fara). Ana aika buƙatar akan ka'idar HTTPS, amma ba tare da bincika ingancin takardar shaidar ba (lokacin zazzagewa, yi amfani da kayan aikin curl tare da zaɓin “-k).
A gefen aikace-aikacen, ana iya amfani da rashin lahani don lalata na'ura, alal misali, ta hanyar shigar da bayan gida don sarrafawa na gaba akan hanyar sadarwa na cikin gida na kamfani. Don kai hari, yana da mahimmanci don samun damar shiga na ɗan gajeren lokaci zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa na Netgear ko zuwa kebul / kayan aikin cibiyar sadarwa a gefen WAN dubawa (alal misali, ISP ko maharin da ya sami damar yin amfani da shi na iya kai harin. garkuwar sadarwa). A matsayin nuni, masu bincike sun shirya na'urar kai hari ta samfuri bisa tsarin Raspberry Pi, wanda ke ba mutum damar samun tushen harsashi yayin haɗa haɗin WAN na na'ura mai ba da hanya tsakanin hanyoyin sadarwa zuwa tashar Ethernet ta jirgin.
source: budenet.ru