ProHoster > Blog > labaran intanet > Rashin lahani a cikin Zyxel, D-Link da Netgear Wireless Routers

Rashin lahani a cikin Zyxel, D-Link da Netgear Wireless Routers

Lalaci da yawa a cikin Zyxel, D-Link da Netgear masu amfani da hanyar sadarwa mara waya suna ba da damar shiga na'urar nesa ba tare da tantancewa ba.

  • An samo hanyoyin sadarwa mara waya ta Zyxel (CVE-2025-0890) don ƙunshi asusu tare da ƙayyadaddun kalmomin shiga waɗanda ke ba da damar shiga na'urar. Binciken firmware ya nuna cewa fayil ɗin /etc/default.cfg yana da mai kula da asusu:zyad1234, admin:1234 da zyuser:1234. Bugu da ƙari, an gano raunin (CVE-2024-40890, CVE-2024-40891) akan na'urorin, yana ba da damar sauya umarnin tsarin lokacin aika buƙatun POST na musamman da aka tsara zuwa rubutun CGI a cikin haɗin yanar gizo ko lokacin gudanar da ayyukan da aka bayar ta hanyar telnet. Mai sana'anta yana ba da iyakataccen dama ta hanyar telnet, yana ƙyale wasu ayyuka kawai kamar ping da tftp.

    Ya bayyana cewa za a iya ketare takunkumin da aka sanya kuma ana iya samun cikakken damar harsashi tare da haƙƙin tushen ta hanyar aiwatarwa, misali, “tftp -h || sh". Haɗin waɗannan batutuwa yana ba da damar maharin da ba a tabbatar da shi ba na nesa don haɗawa da na'urar ta hanyar telnet ko haɗin yanar gizo kuma aiwatar da lambar su tare da tushen gata. An riga an yi rikodin amfani da waɗannan raunin don shigar da malware akan na'urori akan hanyar sadarwa.

    Rashin lahani yana shafar samfuran na'urori masu zuwa: VMG1312-B10*, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10G3300G3500A Zyxel ya ce ba zai saki sabuntawar firmware ba don magance matsalolin da aka gano yayin da lokacin tallafin waɗannan na'urori ya ƙare. Bugu da ƙari, an bayyana cewa samun damar shiga yanar gizo da kuma telnet akan na'urori masu matsala an kashe su ta tsohuwa don buƙatun daga hanyar sadarwar waje. A lokaci guda, masu binciken da suka gano raunin sun sami damar yin amfani da sabis na FOFA da Censys don nemo kusan na'urori masu rauni 1500 waɗanda ke karɓar buƙatun ta hanyar telnet daga hanyar sadarwar waje.

  • An gano wani rauni (CVE-3788-2024) a cikin jerin D-Link DSL-57440 na'ura mai ba da hanya tsakanin hanyoyin sadarwa mara waya wanda ke ba da damar aiwatar da lambar nesa akan na'urar ba tare da tantancewa ba. Don kai hari, ya isa a aika buƙatu zuwa rubutun webproc CGI tare da ƙima mai girma a cikin filin zaman, wanda ke haifar da ambaliya. Matsalar ta samo asali ne sakamakon rashin ingantaccen girman shigarwar a cikin aikin COMM_MakeCustomMsg. D-Link ya gyara matsalar a cikin sabunta firmware 1.01R1B037
  • An gano lahani guda biyu a cikin hanyoyin sadarwa mara waya ta Netgear. Rashin lahani na farko yana shafar Netgear XR1000, XR1000v2, da XR500 model kuma yana ba da damar aiwatar da lambar nesa akan na'urar ba tare da tantancewa ba. Rashin lahani na biyu yana rinjayar tsarin Netgear WAX206, WAX220, da WAX214v2 kuma yana ba da damar shiga na'urar ta ƙetare tsarin tabbatarwa. Har yanzu ba a bayyana cikakken bayani kan yadda ake amfani da raunin da ake samu ba. An gyara lahanin a cikin sabunta firmware na Fabrairu.

    source: budenet.ru
Sayi amintaccen masauki don shafuka tare da kariyar DDoS, sabar VPS VDS 🔥 Sayi ingantaccen masaukin yanar gizo tare da kariyar DDoS, sabar VPS VDS | ProHoster