Muna February Android platform dambudziko rakagadziriswa (CVE-2020-0022) muBluetooth stack, iyo inobvumira kure kure kodhi kuuraya nekutumira yakanyatsogadzirirwa Bluetooth packet. Dambudziko rinogona kusaonekwa neanorwisa mukati meBluetooth renji. Zvinogoneka kuti kusadzivirirwa kwacho kunogona kushandiswa kugadzira makonye anokanganisa midziyo yevavakidzani mumaketani.
Nekuda kwekurwiswa, zvakakwana kuziva kero yeMAC yechishandiso chemunhu anenge abatwa (pre-pairing haidiwe, asi Bluetooth inofanira kuvhurwa pachishandiso). Pane mamwe maturusi, iyo Bluetooth MAC kero inogona kuverengerwa zvichienderana neWi-Fi MAC kero. Kana kusadzivirirwa kwacho kuchishandiswa zvinobudirira, anorwisa anogona kuita kodhi yake nekodzero yekumashure maitiro anoronga mashandiro eBluetooth mu Android.
Dambudziko rakanangana neiyo Bluetooth stack inoshandiswa mu Android (zvichienderana nekodhi kubva kuBlueDroid purojekiti kubva kuBroadcom) uye haioneke muBlueZ stack inoshandiswa paLinux.
Vatsvakurudzi vakaona dambudziko racho vakakwanisa kugadzirira prototype yekushanda, asi ruzivo rwekushandiswa ruchave. gare gare, mushure mekugadzirisa kwave kuendeswa kune vazhinji vashandisi. Zvinongozivikanwa kuti kusazvibata kuripo mune kodhi yekuvakazve mapakeji uye kuverengera kwakashata kwehukuru hweL2CAP (Logical link control uye adaptation protocol) mapaketi, kana iyo data inofambiswa neanotumira inodarika saizi inotarisirwa.
Mu Android 8 uye 9, dambudziko rinogona kutungamira mukuita kodhi, asi mu Android 10 inogumira pakupunzika kweiyo yekumashure maitiro eBluetooth. Kuburitswa kwekare kweAroid kunogona kukanganiswa nenyaya, asi kushandiswa kwekusagadzikana hakuna kuedzwa. Vashandisi vanorayirwa kuti vaise iyo firmware update nekukasira, uye kana izvi zvisingaite, dzima Bluetooth nekukasira, kudzivirira kuwanikwa kwemudziyo, uye kumisa Bluetooth munzvimbo dzeveruzhinji kana zvichidikanwa (kusanganisira kutsiva mahedhifoni asina waya newaya).
Mukuwedzera kune dambudziko rakaonekwa mu Iyo seti yezvigadziriso zvekuchengetedza ye Android yakabvisa kusagadzikana makumi maviri nenhanhatu, iyo imwe njodzi (CVE-26-2020) yakapihwa nhanho yakaoma yengozi. Kusagadzikana kwechipiri ndiko zvakare Bluetooth stack uye yakabatana nekusarongeka kweiyo BLUETOOTH_PRIVILEGED rombo mu setPhonebookAccessPermission. Panyaya yekusagadzikana kwakamisikidzwa senjodzi huru, 7 nyaya dzakagadziriswa muhurongwa uye mashandisirwo, 4 muzvikamu zvehurongwa, 2 mukernel, uye gumi mune yakavhurika sosi uye proprietary zvikamu zveQualcomm chips.
Source: opennet.ru