Bishii Febraayo Madal Android dhibaatada muhiimka ah ayaa go'an (CVE-2020-0022) ee xirmada Bluetooth-ka, kaas oo u oggolaanaya fulinta kood fog adoo soo diraya xirmo Bluetooth oo si gaar ah loo nashqadeeyay. Dhibka waxaa ogaan kara weeraryahan ku dhex jira xadka Bluetooth. Waxaa suurtogal ah in baylahda loo isticmaali karo in lagu abuuro Gooryaanka faafiya qalabka dariska ee silsiladda.
Weerarka, waa ku filan in la ogaado ciwaanka MAC ee qalabka dhibbanaha (lammaanaha hore looma baahna, laakiin Bluetooth waa in lagu shido qalabka). Qalabka qaarkood, ciwaanka Bluetooth-ka MAC waxa lagu xisaabin karaa iyadoo lagu salaynayo ciwaanka Wi-Fi MAC. Haddii nuglaanta si guul leh looga faa'iidaysto, weeraryahanku wuxuu fulin karaa koodkiisa xuquuqda nidaamka asalka ah ee isku xidha hawlgalka Bluetooth ee Android.
Dhibaatadu waxay gaar u tahay xidhmada Bluetooth-ka ee lagu isticmaalo Android (ku salaysan koodka mashruuca BlueDroid ee Broadcom) oo kama soo baxayo xidhmada BlueZ ee loo isticmaalo Linux.
Cilmi-baarayaasha aqoonsaday dhibaatada waxay awoodeen inay diyaariyaan tusaalaha shaqada ee ka faa'iidaysiga, laakiin faahfaahinta ka faa'iidaysiga ayaa noqon doona ka dib, ka dib markii hagaajinta la soo saaray inta badan isticmaalayaasha. Waxa kaliya oo la og yahay in baylahdu ay ku jirto xeerka dib u dhiska baakadaha iyo xisaabinta khaldan ee cabbirka L2CAP (xakamaynta isku xidhka macquulka ah iyo hab-maamuuska la qabsiga) xidhmooyinka, haddii xogta uu gudbiyay soo-diraha ka badan tahay cabbirka la filayo.
Android 8 iyo 9, dhibaatadu waxay u horseedi kartaa fulinta koodka, laakiin Android 10 waxay ku xaddidan tahay shilka nidaamka asalka ah ee Bluetooth. Siidaynta hore ee Android ayaa laga yaabaa inay saamayso arrintu, laakiin ka faa'iidaysiga nuglaanta lama tijaabin. Isticmaalayaasha waxaa lagula talinayaa inay ku rakibaan cusboonaysiinta firmware-ka sida ugu dhakhsaha badan, oo haddii ay taasi suurtogal noqon weydo, dami Bluetooth-ka sida caadiga ah, ka ilaali helitaanka aaladda, oo ka hawlgeli Bluetooth meelaha caamka ah oo keliya marka loo baahdo (oo ay ku jiraan beddelka taleefoonnada gacanta ee bilaa-waayirka ah kuwa fiilo leh).
Marka laga soo tago dhibaatada la xusay Qaabka hagaajinta amniga ee Android ayaa meesha ka saaray 26 dayacan, kuwaas oo dayacan kale (CVE-2020-0023) loo qoondeeyay heer halis ah oo halis ah. Nuglaanta labaad ayaa iyana ah Xidhmada Bluetooth-ka oo waxa ay la xidhiidha habsamaynta khaldan ee BLUETOOTH_PRIVILEGED mudnaanta ee setPhonebookAccess Permission. Marka la eego baylahda loo calaamadeeyay inay halis sare tahay, 7 arrimood ayaa wax lagaga qabtay qaab-dhismeedka iyo codsiyada, 4 qaybaha nidaamka, 2 ku jira kernel, iyo 10 oo ah il furan iyo qaybaha lahaanshaha ee Qualcomm chips.
Source: opennet.ru