Mu phukusi lotseguka la IWD (Intel inet Wireless Daemon) ndi wpa_supplicant, zomwe zimagwiritsidwa ntchito kukonza kulumikizana kwa makasitomala Linux-ΡΠΈΡΡΠ΅ΠΌ ΠΊ Π±Π΅ΡΠΏΡΠΎΠ²ΠΎΠ΄Π½ΠΎΠΉ ΡΠ΅ΡΠΈ, Π²ΡΡΠ²Π»Π΅Π½Ρ ΡΡΠ·Π²ΠΈΠΌΠΎΡΡΠΈ, ΠΏΡΠΈΠ²ΠΎΠ΄ΡΡΠΈΠ΅ ΠΊ ΠΎΠ±Ρ ΠΎΠ΄Ρ ΠΌΠ΅Ρ Π°Π½ΠΈΠ·ΠΌΠΎΠ² Π°ΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ:
- Mu IWD, chiwopsezo (CVE-2023-52161) chimawoneka pokhapokha ngati njira yofikira yayatsidwa, zomwe sizofanana ndi IWD, zomwe nthawi zambiri zimagwiritsidwa ntchito kulumikiza ma netiweki opanda zingwe. Chiwopsezo chimakulolani kuti mulumikizane ndi malo opezeka opangidwa popanda kudziwa mawu achinsinsi, mwachitsanzo, pamene wogwiritsa ntchito akupereka momveka bwino mwayi wopeza intaneti kudzera pa chipangizo chawo (Hotspot). Vutoli limakhazikitsidwa mu mtundu wa IWD 2.14.
Chiwopsezochi chimayamba chifukwa cholephera kuyang'ana bwino dongosolo la masitepe onse panthawi ya zokambirana za njira 4 zomwe zimagwiritsidwa ntchito polumikizana koyamba ndi netiweki yopanda zingwe. Chifukwa chakuti IWD imavomereza mauthenga pazigawo zilizonse za zokambirana popanda kuyang'ana ngati gawo lapitalo latsirizidwa, wowukira akhoza kudumpha kutumiza uthenga wa gawo lachiwiri ndikutumiza uthenga wa gawo lachinayi ndikupeza mwayi wopezeka pa intaneti. , kulumpha siteji yomwe kutsimikizika kumawunikiridwa.
Pamenepa, IWD imayesa kutsimikizira khodi ya MIC (Message Integrity Code) ya uthenga womwe walandira wa gawo lachinayi. Popeza uthenga wa siteji yachiwiri wokhala ndi magawo otsimikizira sunalandiridwe, pokonza uthenga wa gawo lachinayi, kiyi ya PTK (Pairwise Transient Key) imayikidwa pa ziro. Chifukwa chake, wowukira amatha kuwerengera MIC pogwiritsa ntchito PTK yopanda pake, ndipo nambala yotsimikizirayi ivomerezedwa ndi IWD ngati ndiyovomerezeka. Mukamaliza kukambirana pang'ono, wowukirayo adzakhala ndi mwayi wofikira pa netiweki yopanda zingwe, popeza malo olowera adzalandira mafelemu omwe amatumiza, osungidwa ndi kiyi ya PTK yopanda kanthu.
- Vuto lomwe ladziwika mu wpa_supplicant (CVE-2023-52160) limalola wowukira kunyengerera wogwiritsa ntchito pa netiweki yabodza yopanda zingwe yomwe ndi gawo la netiweki yomwe wogwiritsa akufuna kulumikizana nayo. Ngati wogwiritsa ntchito alumikizidwa ku netiweki yabodza, wowukirayo atha kulinganiza kutsekereza kwa magalimoto osabisidwa (mwachitsanzo, kupeza masamba opanda HTTPS).
Chifukwa cha zolakwika pakukhazikitsa protocol ya PEAP (Protected Extensible Authentication Protocol), wowukira atha kulumpha gawo lachiwiri la kutsimikizika polumikiza chida chomwe sichinasinthidwe molakwika. Kudutsa gawo lachiwiri la kutsimikizika kumalola wowukirayo kupanga chongoyerekeza cha netiweki yodalirika ya Wi-Fi ndikulola wogwiritsa ntchito kulumikizana ndi netiweki yabodza popanda kuyang'ana mawu achinsinsi.
Kuti mugwire bwino ntchito yowukira, cheke cha wpa_supplicant chiyenera kuzimitsidwa kumbali ya wogwiritsa ntchito. Satifiketi ya TLS Wowukirayo ayenera kudziwa chizindikiro cha netiweki yopanda zingwe (SSID, kapena Service Set Identifier). Wowukirayo ayenera kukhala pafupi ndi adaputala yopanda zingwe ya wozunzidwayo, koma kunja kwa malo olowera netiweki yopanda zingwe. Kuwukiraku n'kotheka pa ma netiweki a WPA2-Enterprise kapena WPA3-Enterprise, omwe amagwiritsa ntchito protocol ya PEAP.
Opanga wpa_supplicant adati sakuona vutoli ngati vuto, chifukwa limangowonekera m'ma network opanda zingwe omwe sanakonzedwe bwino momwe kutsimikizira kwa EAP kumagwiritsidwa ntchito limodzi ndi protocol ya PEAP (EAP-TTLS) popanda kuyang'ana satifiketi ya TLS. Seva. ΠΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ Π±Π΅Π· ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΡΠ΅ΡΡΠΈΡΠΈΠΊΠ°ΡΠ° Π½Π΅ ΠΈΠΌΠ΅ΡΡ Π·Π°ΡΠΈΡΡ ΠΎΡ Π°ΠΊΡΠΈΠ²Π½ΡΡ Π°ΡΠ°ΠΊ. ΠΡΡΠ²ΠΈΠ²ΡΠΈΠ΅ ΡΡΠ·Π²ΠΈΠΌΠΎΡΡΡ ΡΡΠ²Π΅ΡΠΆΠ΄Π°ΡΡ, ΡΡΠΎ ΠΏΠΎΠ΄ΠΎΠ±Π½ΡΠ΅ Π½Π΅ΠΊΠΎΡΡΠ΅ΠΊΡΠ½ΡΠ΅ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΠΈ ΡΠΈΠΏΠΈΡΠ½Ρ ΠΈ ΡΠΈΡΠΎΠΊΠΎ ΡΠ°ΡΠΏΡΠΎΡΡΡΠ°Π½Π΅Π½Ρ, ΡΡΠΎ ΡΡΠ°Π²ΠΈΡ ΠΏΠΎΠ΄ ΡΠ³ΡΠΎΠ·Ρ ΠΌΠ½ΠΎΠ³ΠΈΠ΅ ΠΏΠΎΡΡΠ΅Π±ΠΈΡΠ΅Π»ΡΡΠΊΠΈΠ΅ ΡΡΡΡΠΎΠΉΡΡΠ²Π° Π½Π° Π±Π°Π·Π΅ Linux, Android ΠΈ Chrome OS, Π½Π° ΠΊΠΎΡΠΎΡΡΡ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΡΡΡ wpa_supplicant.
Kuti mulepheretse vuto mu wpa_supplicant, chigamba chatulutsidwa chomwe chimawonjezera njira yovomerezeka ya gawo lachiwiri la kutsimikizika, kuwonjezera pakuwunika satifiketi ya TLS. Malinga ndi omwe akupanga, kusintha komwe akufunsidwa ndi njira yokhayo yomwe imasokoneza kuwukira mukamagwiritsa ntchito kutsimikizika pamanja ndipo ndiyopanda ntchito mukamagwiritsa ntchito zosankha monga EAP-GTC. Kuti athetse vutoli, oyang'anira maukonde ayenera kubweretsa kasinthidwe kawo ku mawonekedwe oyenera, i.e. konza unyolo wodalirika kuti mutsimikizire satifiketi ya seva pogwiritsa ntchito ca_cert parameter.
Source: opennet.ru
