Kukanganisa kwakasimba (CVE-2024-54143) kwakaratidzwa muASU (Attended SysUpgrade) toolkit yakagadziriswa neOpenWrt project, iyo inoita kuti zvikwanise kukanganisa zvigadzirwa zvemagungano zvakagoverwa kuburikidza ne sysupgrade.openwrt.org sevhisi kana yechitatu-bato ASU maseva, uye kuisa mifananidzo yefirmware yakagadziridzwa neanorwisa pane masisitimu emushandisi uchishandisa iyo "yakapinda kusimudzira" modhi yekuvandudza firmware kuburikidza newebhu interface. selector.openwrt.org kana the attend.sysupgrade command line tool.
Kuti ubudirire kuita kurwisa, munhu anorwisa anongoda kutumira chikumbiro chekugadzira musangano kune ASU server (chero mushandisi anogona kutumira zvikumbiro zvakadaro pasina humbowo). Nekugadzirisa rondedzero yakagadziridzwa yemapakeji, anorwisa anogona kuronga kuti mifananidzo yakaipa yakambogadzirwa itumirwe achipindura zvikumbiro zvekuvaka zviri pamutemo kubva kune vamwe vashandisi.
Iyo ASU sevhisi inoshandiswa muOpenWrt kugadzira uye kuisa firmware zvigadziriso pasina kurasikirwa nezvirongwa zviripo uye mushandisi-akaiswa mapakeji. Kuburikidza newebhu interface kana yekuraira mutsara chishandiso, mushandisi anotumira chikumbiro chekugadzira yakagadziridzwa firmware mufananidzo, zvichiratidza mapakeji akaiswa pane yake system. Mushure menguva yakati, sevha yeASU inogadzira chifananidzo chinoenderana nezvakarairwa, mushure mezvo mushandisi anochidhawunirodha uye ovhenekesa pachigadzirwa chake. Pamusoro pezvo, sarudzo inopihwa iyo inokutendera kuti uchengetedze iripo marongero mune yakagadziridzwa firmware.
ASU Server ine basa rekugadzirisa zvikumbiro zvevashandisi, kutanga otomatiki firmware mifananidzo yekugadzira uchishandisa maturusi eImageBuilder uye kuchengetedza cache yezvivakwa zvakagadzirwa kare. Kana mushandisi akakumbira mufananidzo watovakwa pauri server uye zvichiramba zvakakodzera, sisitimu yacho inodzosera mufananidzo uripo kubva mu cache pasina kutanga maitiro ekuvaka.
Maitiro ekurwiswa akagoneka nekuda kwekusagadzikana kuviri:
- Kusagadzikana mubuild_reques.py chikumbiro chekubata kubva kuImagebuilder toolkit, iyo inobvumira kutsiva yemirairo yako mukuita kwekuvaka kuburikidza nemushandisi achipfuura akarongedzerwa mazita emapasuru. Kusagadzikana uku kunokonzerwa nekushaikwa kwekutarisa kwakakodzera kwemavara akakosha mumazita epasuru usati waashandisa senharo kune kugadzira utility. Kutora mukana wekusagadzikana uku, munhu anorwisa anogona kugadzira yakashata firmware mifananidzo paserver yakasainwa nekiyi yegungano chaiyo.
- Kusagadzikana mu library util.py kunokonzerwa nenyaya yekuti SHA-256 hashes, yaishandiswa kutarisa kuvepo kweyakagadzirirwa-yakagadzirwa firmware mifananidzo mucache, yakachekwa kusvika kune gumi nemaviri mavara, ayo akadzikisa zvakanyanya mwero we entropy uye akaita kuti zvibvire. , kuburikidza nekusarudza kudhumhana, kugadzira mufananidzo wakashata une hashi inopindirana nenzira iri pamutemo. Yakasanganiswa nekusagadzikana muImagebuilder, dambudziko rehashi rinogona kushandiswa neanorwisa "kusvibisa" cache yeASU Server uye kuisa mifananidzo yakaipa mairi inodzoserwa kune zvikumbiro kubva kune vashandisi venguva dzose.
Shanduko yakabvumira kurwiswa uku yakaitwa musi wa8 Chikunguru. Nyaya yacho yakagadziriswa musi wa4 Zvita. Matanho akasiyana ekuchengetedza akashandiswa kuona kuti sevhisi yeASU inoshanda. maseva, dzisingapindirani nemasisitimu makuru ekuvaka epurojekiti, dzakaparadzaniswa neOpenWrt Buildbot, uye hadzina mukana wekuwana zvinhu zvakavanzika zvakaita semakiyi eSSH nezvitupa zvekugadzira masiginecha edhijitari.
Zvinofungidzirwa kuti vagadziri veOpenWrt havana kuwana zvimiro zvekukanganisa kwezvivakwa zvepurojekiti, asi kuti vave padivi rakachengeteka, vakadzoreredza masisitimu ayo zvinhu zvisina njodzi zvaiita kubva kutanga. Dambudziko harina kukanganisa mifananidzo yepamutemo yakagoverwa kuburikidza newebhusaiti downloads.openwrt.org, uye pakuongorora matanda egungano, hapana zvichemo zvezvikumbiro zvakashata zvakawanikwa. Panguva imwecheteyo, sezvo maseva eASU anozvichenesa otomatiki magungano akakura kupfuura mazuva manomwe, zvakazove zvisingaite kuongorora magungano ekare.
Mukana wekushandisa kusazvibata kwakaonekwa mukuita kuparadzira mifananidzo yakaipa kuburikidza neOpenWrt zvivakwa inoongororwa nevamiriri veOpenWrt sepedyo ne zero, zvisinei, vashandisi veASU vanokurudzirwa kutsiva OpenWrt firmware pamidziyo yavo neshanduro imwechete.
Source: opennet.ru
