njira yowukira (CVE-2019-14899) yomwe imalola kuti mapaketi asokonezeke, kusinthidwa, kapena kulowetsedwa muzolumikizira za TCP zotumizidwa kudzera mu ngalande za VPN. Vutoli limakhudza Linux, FreeBSD, OpenBSD, Android, macOS, iOS ndi machitidwe ena a Unix. Linux imathandizira makina a rp_filter (reverse path filtering) a IPv4, kuyatsa mu "Strict" mode kumachepetsa vutoli.
Njirayi imalola kulowetsa paketi pamlingo wa kulumikizana kwa TCP kudutsa mumsewu wobisika, koma sikulola kukwatiwa muzolumikizana zomwe zimagwiritsa ntchito zigawo zowonjezera (mwachitsanzo, TLS, HTTPS, SSH). Ma algorithms a encryption omwe amagwiritsidwa ntchito mu VPN alibe kanthu, popeza mapaketi a spoofed amachokera ku mawonekedwe akunja ndipo amakonzedwa ndi kernel ngati mapaketi kuchokera ku mawonekedwe a VPN. Chomwe chikuyembekezeka kwambiri pakuwukirako ndikusokoneza maulumikizidwe osadziwika a HTTP, koma ndikugwiritsa ntchito kuwukira kuwongolera mayankho a DNS.
Kuphatikizika kwa paketi kopambana kwawonetsedwa pamakina opangidwa pogwiritsa ntchito OpenVPN, WireGuard ndi IKEv2/IPSec. Pa IPv4, kuwukira ndi kotheka ngati rp_filter yakhazikitsidwa kukhala "Loose" mode (sysctl net.ipv4.conf.all.rp_filter = 2). Poyamba, machitidwe ambiri adagwiritsa ntchito "Olimba", koma kuyambira , yomwe idatulutsidwa mu December watha, njira yogwiritsira ntchito yosasinthika inasinthidwa kukhala "Loose" ndipo kusintha kumeneku kunawonetsedwa muzosintha zosasinthika za magawo ambiri a Linux.
rp_sefa njira kuti mutsimikizirenso njira zamapaketi kuti mupewe kuwonongeka kwa magwero. Ikakhazikitsidwa ku 0, palibe cheke cha adilesi yomwe imachitidwa ndipo paketi iliyonse imatha kutumizidwa pakati pa ma network popanda zoletsa. Njira 1 "Yolimba" imaphatikizapo kuyang'ana paketi iliyonse yochokera kunja kuti igwirizane ndi tebulo lamayendedwe, ndipo ngati mawonekedwe a netiweki omwe paketiyo adalandira sakugwirizana ndi njira yabwino yoperekera yankho, ndiye kuti paketiyo imatayidwa. Mode 2 "Loose" imatsitsimutsa cheke kuti ilole zolemetsa kapena ma asymmetric routing kuti agwire ntchito
Njira yoyankhira imatha kudutsa pamanetiweki ena osati momwe phukusi lolowera lidafikira.
Mu Loose mode, paketi yomwe ikubwera imawunikidwa motsutsana ndi tebulo lamayendedwe, koma imatengedwa kuti ndiyovomerezeka ngati magwero adilesi akupezeka kudzera pa intaneti iliyonse. Kuwukiraku kumachokera pa mfundo yakuti wowukirayo amatha kutumiza paketi yokhala ndi adilesi ya spoofed yofanana ndi mawonekedwe a VPN, ndipo ngakhale kuti paketi iyi idzalowa mudongosolo kudzera pa intaneti yakunja osati kudzera mu VPN, mu rp_filter "Loose" mawonekedwe paketi yotereyi sidzatayidwa.
Kuti achite chiwembu, wowukirayo ayenera kuyang'anira njira yomwe wogwiritsa ntchito amalowera pa netiweki (mwachitsanzo, kudzera mu bungwe la MITM, wozunzidwayo akalumikizana ndi malo olowera opanda zingwe omwe amayendetsedwa ndi owukira, kapena kudzera pa intaneti. ). Poyang'anira chipata chomwe wogwiritsa ntchito amalumikizidwa ndi netiweki, wowukirayo amatha kutumiza mapaketi abodza omwe angadziwike potengera mawonekedwe a netiweki ya VPN, koma mayankho adzayendetsedwa mumsewu.
Popanga mtsinje wa mapaketi abodza momwe adilesi ya IP ya mawonekedwe a VPN imalowetsedwa m'malo, kuyesa kumapangidwa kuti kukhudze kulumikizana komwe kumakhazikitsidwa ndi kasitomala, koma chikoka cha mapaketiwa chitha kuwonedwa kokha kudzera mu kusanthula kwapang'onopang'ono kwamayendedwe obisika omwe amalumikizidwa. ndi ntchito ya ngalandeyo. Kuti muchite chiwembu, muyenera kudziwa adilesi ya IP ya njira yolumikizira netiweki yoperekedwa ndi seva ya VPN, ndikuwonetsetsa kuti kulumikizana ndi munthu wina yemwe akugwira nawo ntchito kukugwira ntchito panjira.
Kuti mudziwe IP ya mawonekedwe a intaneti a VPN, mapaketi a SYN-ACK amatumizidwa ku dongosolo la ozunzidwa, motsatizana ndi mndandanda wa maadiresi enieni (choyamba, maadiresi omwe amagwiritsidwa ntchito mu VPN amalembedwa mwachisawawa, mwachitsanzo, OpenVPN amagwiritsa ntchito 10.8.0.0/24 subnet). Kukhalapo kwa adilesi kumatha kuweruzidwa potengera kulandila yankho ndi mbendera ya RST.
Momwemonso, kukhalapo kwa kulumikizana ndi tsamba linalake ndi nambala ya doko kumbali ya kasitomala zimatsimikiziridwa - posankha manambala a doko, paketi ya SYN imatumizidwa kwa wogwiritsa ntchito, monga magwero a adilesi, momwe malowo amachitira. IP imalowetsedwa m'malo, ndipo adilesi yolowera ndi IP VPN yeniyeni. Doko la seva likhoza kuneneratu (80 kwa HTTP), ndipo nambala ya doko kumbali ya kasitomala ikhoza kuwerengedwa ndi mphamvu zopanda pake, kusanthula manambala osiyanasiyana kusintha kwakuya kwa mayankho a ACK kuphatikizapo kusowa kwa paketi ndi RST. mbendera.
Pakadali pano, wowukirayo amadziwa zinthu zonse zinayi za kulumikizana (gwero la IP adilesi / doko ndi komwe adilesi ya IP adilesi / doko), koma kuti apange paketi yopeka yomwe wozunzidwayo angavomereze, wowukirayo ayenera kudziwa mndandanda wa TCP ndi manambala ovomerezeka (seq ndi ack) - kulumikizana. Kuti mudziwe magawo awa, wowukirayo amatumiza mosalekeza mapaketi abodza a RST, kuyesa manambala osiyanasiyana otsatizana, mpaka atazindikira paketi ya ACK, yomwe ikubwera yomwe ikuwonetsa kuti nambalayo ikugwera mkati mwawindo la TCP.
Kenaka, wowukirayo akufotokozera kulondola kwa tanthawuzo mwa kutumiza mapaketi okhala ndi chiwerengero chomwecho ndikuwona kubwera kwa mayankho a ACK, kenako amasankha nambala yeniyeni ya ndondomeko yamakono. Ntchitoyi ndi yovuta chifukwa mayankho amatumizidwa mkati mwa ngalande yobisika ndipo kupezeka kwawo mumsewu wotsekeredwa kumatha kuyesedwa pogwiritsa ntchito njira zosalunjika. Kaya kasitomala atumiza paketi ya ACK yopita ku seva ya VPN zimatsimikiziridwa kutengera kukula ndi kuchedwa kwa mayankho obisika, omwe amagwirizana ndi kutumiza mapaketi osokonekera. Mwachitsanzo, kwa OpenVPN, kukula kwa paketi ya 79 kumakupatsani mwayi woweruza molondola kuti pali ACK mkati.
Mpaka chitetezo chowukira chikuwonjezedwa ku kernel yogwiritsira ntchito ngati njira yosakhalitsa yoletsa vutoli pogwiritsa ntchito paketi fyuluta mu unyolo "preroute", lembani ndimeyi mapaketi mmene pafupifupi IP adiresi ya mumphangayo amatchulidwa ngati adiresi kopita.
iptables -t yaiwisi -I PREROUTING ! -i wg0 -d 10.182.12.8 -m addtype ! --src-mtundu wa LOCAL -j DROP
kapena nftables
nft onjezani tebulo ip yaiwisi
nft onjezani unyolo ip yaiwisi prerouting '{mtundu fyuluta hook prerouting patsogolo 0; }'
nft add rule ip raw prerouting 'iifname != "wg0" ip daddr 10.182.12.8 fib saddr type != local drop'
Kuti mutetezeke mukamagwiritsa ntchito ma adilesi a IPv4, ingoikani rp_filter kukhala "Strict" mode ("sysctl net.ipv4.conf.all.rp_filter = 1"). Kumbali ya VPN, njira yodziwira nambala yotsatizana imatha kutsekedwa powonjezera zowonjezera pamapaketi osungidwa, kupanga mapaketi onse kukhala ofanana.
Source: opennet.ru