A cikin direbobi don kwakwalwan mara waya ta Broadcom hudu . A cikin mafi sauƙi, ana iya amfani da raunin don haifar da ƙin sabis na nesa, amma ba za a iya keɓance yanayin da za a iya haɓaka abubuwan amfani waɗanda ke ba da damar maharin da ba a tabbatar da shi ba ya aiwatar da lambar su tare da gata na kernel na Linux ta hanyar aika fakiti na musamman.
An gano matsalolin ta hanyar injiniyan baya da Broadcom firmware. Ana amfani da guntuwar da abin ya shafa a cikin kwamfutoci, wayoyin hannu da na'urori iri-iri, daga SmartTV zuwa na'urorin Intanet na Abubuwa. Musamman, ana amfani da kwakwalwan kwamfuta na Broadcom a cikin wayoyin hannu daga masana'antun kamar Apple, Samsumg da Huawei. Abin lura ne cewa an sanar da Broadcom game da raunin da ya faru a cikin watan Satumba na 2018, amma ya ɗauki kimanin watanni 7 don saki gyare-gyare a cikin haɗin gwiwa tare da masana'antun kayan aiki.
Lalacewar guda biyu suna shafar firmware na ciki kuma suna iya ba da izinin aiwatar da lambar a cikin yanayin tsarin aiki da ake amfani da su a cikin kwakwalwan kwamfuta na Broadcom, wanda ke ba da damar kai hari kan wuraren da ba sa amfani da Linux (alal misali, an tabbatar da yiwuwar kai hari kan na'urorin Apple). ). Bari mu tuna cewa wasu kwakwalwan kwamfuta na Wi-Fi na Broadcom ƙwararrun masarrafa ne (ARM Cortex R4 ko M3), waɗanda ke gudanar da irin wannan tsarin aiki tare da aiwatar da tari mara waya ta 802.11 (FullMAC). A cikin irin wannan kwakwalwan kwamfuta, direba yana tabbatar da hulɗar babban tsarin tare da firmware na Wi-Fi guntu. Don samun cikakken iko akan babban tsarin bayan an lalata FullMAC, an ba da shawarar yin amfani da ƙarin lahani ko, akan wasu kwakwalwan kwamfuta, yi amfani da cikakken damar yin amfani da ƙwaƙwalwar tsarin. A cikin kwakwalwan kwamfuta tare da SoftMAC, ana aiwatar da tari mara waya ta 802.11 a gefen direba kuma ana aiwatar da shi ta amfani da tsarin CPU.
Rashin raunin direba yana bayyana a cikin duka wl direban (SoftMAC da FullMAC) da buɗaɗɗen tushen brcmfmac (FullMAC). An gano ambaliya guda biyu a cikin direban wl, wanda aka yi amfani da shi lokacin da wurin samun damar ke aika saƙon EAPOL na musamman a yayin aiwatar da shawarwarin haɗin gwiwa (ana iya aiwatar da harin yayin haɗawa zuwa wurin shiga mara kyau). A cikin yanayin guntu tare da SoftMAC, rashin lahani yana haifar da sasantawa na kernel na tsarin, kuma a cikin yanayin FullMAC, ana iya aiwatar da lambar a gefen firmware. bcmfmac yana ƙunshe da ɓarna mai ɓarna da kuskuren duba firam ɗin da aka yi amfani da shi ta hanyar aika firam ɗin sarrafawa. Matsaloli tare da direban bcmfmac a cikin kernel na Linux a watan Fabrairu.
Gane rashin lahani:
- CVE-2019-9503 - halin da ba daidai ba na direban bcmfmac lokacin sarrafa firam ɗin sarrafawa da aka yi amfani da su don yin hulɗa tare da firmware. Idan firam tare da taron firmware ya fito daga tushen waje, direban ya watsar da shi, amma idan an karɓi taron ta bas na ciki, an tsallake firam ɗin. Matsalar ita ce ana watsa abubuwan da suka faru daga na'urori masu amfani da USB ta cikin bas na ciki, wanda ke ba da damar maharan samun nasarar watsa firam ɗin sarrafa firmware lokacin amfani da adaftar mara waya tare da kebul na USB;
- CVE-2019-9500 - Lokacin da aka kunna fasalin "Wake-up on Wireless LAN", yana yiwuwa a haifar da ambaliya a cikin direban brcmfmac (aikin brcmf_wowl_nd_results) ta hanyar aika firam ɗin sarrafawa na musamman. Ana iya amfani da wannan raunin don tsara kisa na lambar a cikin babban tsarin bayan guntu ya lalace ko a hade tare da raunin CVE-2019-9503 don ketare cak a yayin aika da nesa na firam ɗin sarrafawa;
- CVE-2019-9501 - buffer ambaliya a cikin direban wl (aikin wlc_wpa_sup_eapol) wanda ke faruwa lokacin sarrafa saƙon da abun cikin bayanan masana'anta ya wuce 32 bytes;
- CVE-2019-9502 - Matsakaicin buffer a cikin wl direba (wlc_wpa_plumb_gtk aikin) yana faruwa lokacin sarrafa saƙonni waɗanda abun cikin filin bayanin masana'anta ya wuce 164 bytes.
source: budenet.ru