Zowongolera zogawa za OpenWrt zasindikizidwa ΠΈ , momwe imachotsedwa (CVE-2020-7982) mu woyang'anira phukusi , zomwe zimakupatsani mwayi wochita kuwukira kwa MITM ndikusintha zomwe zili mu phukusi lomwe latsitsidwa kuchokera kumalo osungirako. Chifukwa cha cholakwika mu code yotsimikizira cheke, wowukira atha kupanga mikhalidwe yomwe ma cheke a SHA-256 omwe ali muzolemba zapaketi zosainidwa ndi digito adzanyalanyazidwa, zomwe zimapangitsa kuti zitheke kudumpha njira zowonera kukhulupirika kwa zida zotsitsidwa za ipk.
Vutoli lakhala likuwonekera kuyambira February 2017, pambuyo pake code kuti musanyalanyaze mipata yotsogolera isanafike cheke. Chifukwa cha cholakwika polumpha malo, cholozera pamalo pamzere sichinasinthidwe ndipo SHA-256 hexadecimal decoding loop nthawi yomweyo idabweza kuwongolera ndikubweza cheke chautali wa ziro.
Popeza woyang'anira phukusi la opkg ku OpenWrt amayambitsidwa ndi ufulu wa mizu, ngati MITM ikuwukira, wowukira amatha kusintha mwakachetechete phukusi la ipk lomwe latsitsidwa kuchokera kumalo osungirako pomwe wogwiritsa ntchito akugwiritsa ntchito lamulo la "opkg install", ndikukonzekera khazikitsani code yake ndi ufulu wa mizu powonjezera zolemba zanu pa phukusi, zomwe zimatchedwa pakuyika. Kuti agwiritse ntchito chiopsezochi, wowukirayo akuyeneranso kukonza zosintha zolondola ndi zosayinidwa za phukusi (mwachitsanzo, zoperekedwa kuchokera ku downloads.openwrt.org). Kukula kwa phukusi losinthidwa liyenera kufanana ndi kukula koyambirira komwe kufotokozedwera.
Munthawi yomwe muyenera kuchita popanda kukonzanso firmware yonse, mutha kusintha opkg phukusi loyang'anira poyendetsa malamulo awa:
cd / tmp
kusintha kwa opkg
opkg download opkg
zcat ./opkg-lists/openwrt_base | grep -A10 "Phukusi: opkg" | grep SHA256sum
sha256sum ./opkg_2020-01-25-c09fe209-1_*.ipk
Kenako, yerekezerani macheke omwe akuwonetsedwa ndipo ngati akugwirizana, chitani:
opkg install ./opkg_2020-01-25-c09fe209-1_*.ipk
Mabaibulo atsopano amachotsanso imodzi mulaibulale , zomwe zingayambitse kusefukira kwa buffer ikakonzedwa mu ntchito data yosinthidwa mwapadera ya binary kapena JSON. Laibulale imagwiritsidwa ntchito pazinthu zogawa monga netifd, procd, ubus, rpcd ndi uhttpd, komanso phukusi. (Anapita ku sysUpgrade CLI). Kusefukira kwa bafa kumachitika pamene ziwerengero zazikulu zamtundu wa "duuble" zimafalitsidwa mu blob block. Mutha kuyang'ana kusatetezeka kwa dongosolo lanu pakuwonongeka poyendetsa lamulo:
$ubus imbani luci getFeatures\
'{"banik": 00192200197600198000198100200400.1922 }'
Kuphatikiza pakuchotsa zofooka ndi kukonza zolakwika zomwe zidasonkhanitsidwa, kutulutsidwa kwa OpenWrt 19.07.1 kunasinthanso mtundu wa Linux kernel (kuchokera pa 4.14.162 mpaka 4.14.167), idathetsa zovuta zogwirira ntchito mukamagwiritsa ntchito ma frequency a 5GHz, komanso chithandizo chothandizira cha Ubiquiti Rocket M. Titanium, Netgear WN2500RP v1 zida,
Zyxel NSA325, Netgear WNR3500 V2, Archer C6 v2, Ubiquiti EdgeRouter-X, Archer C20 v4, Archer C50 v4 Archer MR200, TL-WA801ND v5, HiWiFi HC5962, Xiaomi Mi Router 3 Pro ndi 6350 Netgear.
Source: opennet.ru