Farsamo weerar (CVE-2019-14899) oo u oggolaanaysa baakadaha in la been abuuro, wax laga beddelo, ama la geliyo xiriirada TCP ee loo maro tunnel-ka VPN. Arrintu waxay saameysaa Linux, FreeBSD, OpenBSD, Android, macOS, iOS iyo nidaamyada kale ee Unix-ka u eg. Linux waxay taageertaa habka rp_filter (shaandhaynta wadada dib u noqoshada) ee IPv4, kaas oo, marka la hawlgeliyo qaabka "Xaddidan", uu dhexdhexaadiyo dhibaatadan.
Habkani wuxuu suurtogal ka dhigayaa beddelka baakadka heerka isku xirka TCP gudaha godka qarsoon, laakiin ma ogola in la dhexgalo xiriirada isticmaala lakabyada sirta dheeraadka ah (tusaale ahaan, TLS, HTTPS, SSH). Algorithms-ka sirta ah ee loo isticmaalo VPN-ka waa kuwo aan khusayn, maadaama baakadaha la been abuuray ay ka yimaadaan is-dhexgalka dibadda waxaana kernel-ku u farsameeyaa sidii baakado ka imanaya is-dhexgalka VPN. Bartilmaameedka ugu badan ee weerarku waa faragelinta xiriirada HTTP ee aan la qarin, laakiin iyo isticmaalka weerar si loo maareeyo jawaabaha DNS.
Ku guuleysiga been abuurka baakadaha ayaa lagu muujiyay godadka la sameeyay iyadoo la adeegsanayo OpenVPN, WireGuard IKEv2/IPSec.Tor uma nugula arrintan, maadaama ay u isticmaasho SOCKS gudbinta taraafikada iyo ku xidhka is-dhexgalka loopback. IPv4, weerarku waa suurtogal haddii rp_filter loo dejiyo qaabka "Loose" (sysctl net.ipv4.conf.all.rp_filter = 2). Bilowgii, nidaamyada badankood waxay isticmaaleen qaabka "Strict", laakiin waxay ka bilaabmeen , oo la sii daayay Diseembartii hore, qaabka caadiga ah waxaa loo beddelay "Loose" isbeddelkanna wuxuu ka muuqday dejimaha caadiga ah ee qaybinta badan. Linux.
farsamada rp_filter Hubinta wadada baakadka dheeraadka ah si looga hortago been abuurka cinwaanka isha. Marka loo dejiyo 0, hubinta cinwaanka isha waa la daminayaa, baakad kastana waxaa loo gudbin karaa isku-xirka shabakadda iyada oo aan la xaddidin. Habka 1, "Xaddidan," wuxuu suurtogal ka dhigayaa hubinta baakad kasta oo dibadda ah oo soo socota iyadoo la eegayo jadwalka marin-haweedka, haddii isku-xirka shabakadda ee baakadka laga helay uusan la xiriirin waddo gaarsiinta jawaabta ugu habboon, baakadda waa la tuurayaa. Habka 2, "Dabacsan," wuxuu dejinayaa jeegga si loo oggolaado hawlgalka marka la isticmaalayo dheelitirka culeyska ama marin-haweedka aan sinnayn, kaas oo
Wadada jawaab celinta waxaa laga yaabaa inaysan marin isku-xirka shabakadda ee baakadda soo socota ay soo martay.
Habka "Loose", baakad soo socota ayaa laga hubiyaa miiska marin-haweedka, laakiin waxaa loo arkaa mid sax ah haddii cinwaanka isha laga heli karo iyada oo loo marayo is-dhexgalka shabakadda ee la heli karo. Weerarka la soo jeediyay wuxuu ku tiirsan yahay xaqiiqda ah in weeraryahanku uu soo diri karo baakad cinwaan ilo been abuur ah oo u dhigma is-dhexgalka VPN. Xitaa haddii baakaddani ay gasho nidaamka iyada oo loo marayo is-dhexgalka shabakadda dibadda oo aysan ahayn iyada oo loo marayo VPN, qaabka rp_filter "Loose" ma tuuri doono baakad noocaas ah.
Si uu weerar u qaado, qofka weerarka geysta waa inuu xakameeyaa albaabka uu isticmaaluhu ka galo shabakadda (tusaale ahaan, iyada oo loo marayo urur MITM ah, marka dhibbanuhu ku xidhmo barta gelitaanka wireless-ka ee uu weeraryahanku xakameeyo, ama iyada oo loo marayo Marka la xakameeyo albaabka uu isticmaaluhu ku xiran yahay shabakadda, weeraryahanku wuxuu soo diri karaa xirmooyin been abuur ah oo ka soo muuqan doona macnaha guud ee is-dhexgalka shabakadda VPN, laakiin jawaabaha waxaa loo marin doonaa godka.
Marka la sameeyo qulqul xirmooyin been abuur ah oo iska dhigaya cinwaanka IP-ga ee is-dhexgalka VPN, waxaa la isku dayaa in la saameeyo xiriirka la aasaasay ee macmiilka. Si kastaba ha ahaatee, saameynta xirmooyinkan waxaa lagu arki karaa oo keliya falanqaynta dadban ee socodka taraafikada ee la qariyay ee la xiriira tunnel-ka. Si loo sameeyo weerarka, waxaa lagama maarmaan ah in la helo cinwaanka IP-ga ee is-dhexgalka shabakadda tunnel-ka ee uu qoondeeyay server-ka VPN oo la go'aamiyo in xiriir la leh marti-geliye gaar ah uu hadda ka shaqeynayo tunnel-ka.
Si loo go'aamiyo IP-ga isku-xirka shabakadda dalwaddii ee VPN, xirmooyinka SYN-ACK waxaa loo diraa nidaamka dhibbanaha, iyagoo si isdaba joog ah u maraya dhammaan cinwaannada dalwaddii (marka hore, cinwaannada loo isticmaalo VPN-ka caadiga ah ayaa la raadiyaa, tusaale ahaan gudaha OpenVPN Shabakadda hoose ee 10.8.0.0/24 ayaa la isticmaalaa). Jiritaanka cinwaanka waxaa lagu go'aamin karaa iyadoo lagu saleynayo helitaanka jawaab leh calanka RST.
Xidhiidhka goob gaar ah iyo lambarka dekedda dhinaca macmiilka ayaa si isku mid ah loo go'aamiyaa. Xirmo SYN ah ayaa loo diraa isticmaalaha iyadoo la isku dayayo lambarro deked oo kala duwan, iyadoo cinwaanka IP-ga goobta uu yahay cinwaanka isha iyo cinwaanka IP-ga ee VPN-ka ee dalwaddu yahay meesha loo socdo. Dekedda server-ka waa la saadaalin karaa (80 HTTP), lambarka dekedda dhinaca macmiilkana waxaa lagu xisaabin karaa iyadoo la adeegsanayo qasab-furis, iyadoo la falanqeynayo isbeddelka heerka jawaabta ACK ee tirooyin kala duwan, oo ay weheliso maqnaanshaha baakad leh calanka RST.
Marxaladdan, weeraryahanku wuxuu yaqaanaa dhammaan afarta qaybood ee isku xirka (cinwaanka IP-ga asalka ah/dekedda iyo cinwaanka IP-ga loo socdo/dekedda), laakiin si loo soo saaro baakad been abuur ah oo uu aqbali doono nidaamka dhibbanaha, weeraryahanku waa inuu go'aamiyaa taxanaha isku xirka TCP iyo lambarrada qirashada (taxanaha iyo ack). Si loo go'aamiyo xuduudahan, weeraryahanku wuxuu si joogto ah u diraa baakadaha RST ee been abuurka ah, isagoo isku dayaya lambarro taxane ah oo kala duwan, ilaa ay ka ogaadaan baakadda jawaabta ACK, taasoo imaanshaheeda tilmaamaysa in lambarka taxanaha uu ku jiro daaqadda TCP.
Weerarku wuxuu markaa hubiyaa saxnaanta ogaanshaha isagoo diraya baakado leh lambar isku mid ah isla markaana fiirinaya jawaabaha ACK ee soo socda, ka dibna waxay go'aamiyaan lambarka taxanaha saxda ah ee taxanaha hadda jira. Hawshu way adag tahay xaqiiqda ah in jawaabaha lagu diro god qarsoon, joogitaankooda socodka taraafikada ee la xirayna si dadban ayaa loo falanqeyn karaa oo keliya. Haddii macmiilku uu u diray baakad ACK ah oo loo diray server-ka VPN waxaa lagu go'aamiyaa cabbirka iyo daahitaanka jawaabaha la qariyay, kuwaas oo la xiriira dirista baakadaha been abuurka ah. Tusaale ahaan, loogu talagalay OpenVPN Baakad sir ah oo cabbirkeedu yahay 79 ayaa noo ogolaanaysa inaan si sax ah u go'aamino inay ku jirto xaqiijin ACK ah.
Ilaa laga ilaalinayo weerarka lagu daro kernel-ka nidaamka hawlgalka, oo ah hab ku meel gaar ah oo lagu xannibo dhibaatada Adigoo isticmaalaya shaandhada baakadka ee silsiladda "hore u socodka", xannib marinnada baakadaha ee cinwaanka IP-ga ee godka loogu qeexay cinwaanka loo socdo.
iptables -t raw -Waxaan HORE U MARAYAA ! -i wg0 -d 10.182.12.8 -m addrtype ! --src-nooca DEEGAANKA -j DEJINTA
ama loogu talagalay nftables
nft ku dar miiska IP cayriin
nft ku dar silsiladda ip-ka hore ee hore ee '{ nooca shaandhada shaandhada ee mudnaanta hore 0; }'
nft ku dar xeerka ip raw prerouting 'iifname != "wg0" ip daddr 10.182.12.8 nooca fib saddr != hoos u dhac maxalli ah'
Si aad uga ilaaliso marinnada IPv4, si fudud u deji rp_filter qaabka "Strict" (sysctl net.ipv4.conf.all.rp_filter = 1). Dhinaca VPN-ka, habka go'aaminta lambarka taxanaha ah waa la xannibi karaa iyadoo lagu darayo bacaha baakadaha la sir galiyay, taasoo ka dhigaysa dhammaan baakadaha inay isku cabbir yihiin.
Source: opennet.ru
