Gulu la ofufuza ochokera ku Ledger, kampani yomwe imapanga ma wallet a hardware a cryptocurrency, zofooka zingapo pazida za HSM (), yomwe ingagwiritsidwe ntchito kuchotsa makiyi kapena kuchita chiwonongeko chakutali kuti mulowe m'malo mwa firmware ya chipangizo cha HSM. Pakali pano akufotokoza za vutoli mu Chifalansa chokha, lipoti la chilankhulo cha Chingerezi ndilokonzedwa mu Ogasiti pa msonkhano wa Blackhat USA 2019. HSM ndi chipangizo chapadera chakunja chopangidwa kuti chisunge makiyi agulu ndi achinsinsi omwe amagwiritsidwa ntchito popanga siginecha za digito komanso kubisa kwa data.
HSM imakulolani kuti muwonjezere chitetezo, chifukwa imalekanitsa makiyi ku machitidwe ndi mapulogalamu, ndikungopereka API yogwiritsira ntchito zoyamba za cryptographic zomwe zakhazikitsidwa kumbali ya chipangizo. Nthawi zambiri, HSM imagwiritsidwa ntchito m'malo omwe chitetezo chapamwamba chimafunikira, monga mabanki, kusinthanitsa kwa cryptocurrency, ndi maulamuliro a satifiketi kuti atsimikizire ndi kupanga ziphaso ndi siginecha ya digito.
Njira zowukira zomwe zaperekedwa zimalola wogwiritsa ntchito wosavomerezeka kuti azitha kuyang'anira zonse zomwe zili mu HSM, kuphatikiza kuchotsa makiyi onse a cryptographic ndi zidziwitso za woyang'anira zomwe zasungidwa pa chipangizocho. Mavutowa amayamba chifukwa cha kusefukira kwa buffer mkati mwa PKCS#11 chowongolera komanso cholakwika pakukhazikitsa chitetezo cha fimuweya, chomwe chimakulolani kuti mulambalale chitsimikiziro cha fimuweya pogwiritsa ntchito siginecha ya digito ya PKCS#1v1.5 ndikuyamba kutsitsa zanu. firmware mu HSM.
Monga chiwonetsero, firmware yosinthidwa idatsitsidwa, pomwe khomo lakumbuyo linawonjezeredwa, lomwe limakhalabe logwira ntchito pambuyo pa kukhazikitsidwa kotsatira kwa zosintha za firmware kuchokera kwa wopanga. Akuti kuwukirako kutha kuchitika patali (njira yowukirayo sinafotokozedwe, koma mwina zikutanthauza kulowetsa firmware yomwe idatsitsidwa kapena kusamutsa ziphaso zoperekedwa kuti zisinthidwe).
Vutoli lidazindikirika pakuyesedwa kwa fuzz pakukhazikitsa kwamkati kwa malamulo a PKCS#11 omwe aperekedwa mu HSM. Kuyesa kudakonzedwa ndikuyika gawo lake mu HSM pogwiritsa ntchito SDL yokhazikika. Zotsatira zake, kusefukira kwa buffer kudadziwika pakukhazikitsa PKCS#11, yomwe idakhala yogwiritsidwa ntchito osati kokha kuchokera kumadera amkati a HSM, komanso ndikupeza dalaivala wa PKCS#11 kuchokera pamakina akuluakulu apakompyuta. momwe gawo la HSM limalumikizidwa.
Kenako, kusefukira kwa buffer kudagwiritsidwa ntchito kuti apereke kachidindo kumbali ya HSM ndikupitilira magawo olowera. Pophunzira kudzazidwa, chiwopsezo china chinadziwika chomwe chimakulolani kutsitsa firmware yatsopano popanda siginecha ya digito. Pamapeto pake, gawo lachizolowezi linalembedwa ndikulowetsedwa mu HSM, lomwe limataya zinsinsi zonse zosungidwa mu HSM.
Dzina la wopanga yemwe zida zake za HSM zomwe zawonongeka sizinafotokozedwe, koma akuti zida zovuta zimagwiritsidwa ntchito ndi mabanki ena akulu ndi opereka chithandizo chamtambo. Zimanenedwa kuti zambiri zamavuto zidatumizidwa kale kwa wopanga ndipo wachotsa kale zofooka pazosintha zaposachedwa za firmware. Ofufuza odziyimira pawokha akuwonetsa kuti vutoli likhoza kukhala pazida zochokera ku Gemalto, zomwe mu Meyi Kusintha kwa Sentinel LDK ndikuchotsa zofooka, mwayi wodziwa zambiri zomwe zilipobe .
Source: opennet.ru