Abaphumeleleyo kwiiMbasa zePwnie zonyaka ka-2021 baye bamiselwa, begqamisa obona buthathaka bubalulekileyo kunye nokusilela okungenangqondo kwinkalo yokhuseleko lwekhompyuter. IiMbasa zePwnie zithathwa njengezilingana neeOscars kunye neGolden Raspberry kukhuseleko lwekhompyuter.
Abaphumeleleyo abaphambili (uluhlu lwabagqatswa):
- Ilungelo elingcono lokunyusa ukuba sesichengeni. Uloyiso lwanikezelwa kwi-Qualys ngokuchonga ubuthathaka be-CVE-2021-3156 kwi-sudo utility, evumela ukufumana amalungelo eengcambu. Ubuthathaka bukhona kwikhowudi malunga neminyaka eyi-10 kwaye kuyaphawuleka ukuba uhlalutyo olucokisekileyo lwengqiqo ye-utility lwalufuneka ukuze luchonge.
- Eyona bug yeseva. Iwongwa ngokuchonga nokusebenzisa eyona bug intsonkothileyo yobuchwephesha kunye nenomdla kwinkonzo yenethiwekhi. Uloyiso lwawongwa ngokuchonga i-vector entsha yohlaselo kwiMicrosoft Exchange. Ulwazi malunga nabo bonke ubuthathaka beli klasi lupapashiwe, kodwa ulwazi sele lubhengeziwe malunga nobuthathaka CVE-2021-26855 (ProxyLogon), evumela ukukhupha idatha kumsebenzisi ongekho mthethweni ngaphandle kokuqinisekiswa, kunye neCVE-2021-27065, eyenza kuyenzeka ukwenza ikhowudi yakho kumncedisi onamalungelo omlawuli.
- Olona hlaselo lwe-cryptographic. Iwonga ngokuchonga ezona mpazamo zibalulekileyo kwiinkqubo zokwenyani, iiprothokholi, kunye ne-encryption algorithms. Ibhaso lanikezelwa kuMicrosoft ngenxa yokuba semngciphekweni (CVE-2020-0601) ekuphunyezweni kwe-elliptic curve digital signatures enokuvelisa izitshixo zabucala kwizitshixo zikawonke-wonke. Ingxaki ivumele ukwenziwa kwezatifikethi zomgunyathi ze-TLS ze-HTTPS kunye neesignesha ezingeyonyani zedijithali, eziye zaqinisekiswa kwiWindows njengezithembekileyo.
- Uninzi lophando olutsha. Eli bhaso linikezelwe kubaphandi abacebise indlela yeBlindSide yokugqitha ukhuseleko lwedilesi yeRandomization Based Leverage (ASLR) ngokusebenzisa ukuvuza kwejelo elisecaleni eliphuma kumiliselo oluqikelelwayo lwemiyalelo ngumqhubekekisi.
- Eyona ntsilelo inkulu (Eyona Epic FAIL). Ibhaso lanikwa iMicrosoft ngokukhutshwa okuphindaphindiweyo kokulungiswa kwePrintNightmare (CVE-2021-34527) ukuba sesichengeni kwinkqubo yoshicilelo yeWindows ekuvumela ukuba usebenzise ikhowudi yakho. Ekuqaleni, iMicrosoft yachaza ingxaki njengendawo yendawo, kodwa emva koko kwavela ukuba uhlaselo lunokwenziwa ukude. Emva koko iMicrosoft yapapasha uhlaziyo amaxesha amane, kodwa ixesha ngalinye ukulungiswa kuvalwe kuphela imeko ekhethekileyo, kwaye abaphandi bafumana indlela entsha yokwenza uhlaselo.
- Eyona bug kwisoftware yomxhasi. Ophumeleleyo wayengumphandi ochonge ubuthathaka be-CVE-2020-28341 kwiiprosesa ezikhuselekileyo ze-Samsung crypto ezifumene i-CC EAL 5+ isatifikethi sokhuseleko. Ukuba sesichengeni kwenza kube lula ukudlula ngokupheleleyo ukhuseleko kunye nokufumana ukufikelela kwikhowudi eqhutywe kwi-chip kunye nedatha egcinwe kwi-enclave, ukudlula isitshixo somgcini wesikrini, kwaye wenze utshintsho kwi-firmware ukwenza i-backdoor efihliweyo.
- Obona semngciphekweni ubujongelwa phantsi. Ibhaso lanikwa iiQualys ngokuchonga uthotho lwe-21Nails semngciphekweni kwi-Exim mail server, i-10 yazo inokusetyenziswa kude. Abaphuhlisi be-Exim bebethandabuza malunga nokuba nokwenzeka kokuxhaphaza iingxaki kwaye bachitha ngaphezulu kweenyanga ezi-6 bequlunqa izilungiso.
- Eyona reaction iqhwalelayo yomenzi (iLamest Vendor Response). Ukutyunjwa kweyona mpendulo ingafanelekanga kwingxelo yokuba sesichengeni kwimveliso yomntu. Ophumeleleyo yayinguCellebrite, inkampani eyakha uhlalutyo lophando kunye nezicelo zemigodi yedatha yokuthotyelwa komthetho. I-Cellebrite iphendule ngokungafanelekanga kwingxelo enobungozi ethunyelwe ngu-Moxie Marlinspike, umbhali we-Signal protocol. U-Moxxi waba nomdla kwi-Cellebrite emva kwenqaku leendaba malunga nokudalwa kwetekhnoloji evumela ukugqekezwa kwemiyalezo yeSignali efihliweyo, eyathi kamva yaba yinkohliso ngenxa yokutolikwa gwenxa kolwazi kwinqaku elikwiwebhusayithi yeCellebrite, eyathi ke yasuswa (" uhlaselo” lufuna ukufikelela ngokomzimba kwifowuni kunye nokukwazi ukuvula isikrini, oko kukuthi, ukunciphisa ukujonga imiyalezo kumthunywa, kodwa kungekhona ngesandla, kodwa usebenzisa isicelo esikhethekileyo esilinganisa izenzo zomsebenzisi).
U-Moxxi wafunda izicelo zeCellebrite kwaye wafumana ubuthathaka obubalulekileyo apho obuvumela ukuba ikhowudi engafanelekanga iqhutywe xa uzama ukuskena idatha eyilwe ngokukodwa. Isicelo seCellebrite safunyanwa sisebenzisa ithala leencwadi le-ffmpeg eliphelelwe lixesha elingekahlaziywa iminyaka eli-9 kwaye liqulethe inani elikhulu lobuthathaka obungabhalwanga. Esikhundleni sokuvuma iingxaki kunye nokulungisa iingxaki, i-Cellebrite ikhuphe ingxelo yokuba ikhathalele ukunyaniseka kwedatha yomsebenzisi, igcina ukhuseleko lweemveliso zayo kwinqanaba elifanelekileyo, ikhupha ukuhlaziywa rhoqo kwaye ihambisa izicelo ezilungileyo zohlobo lwayo.
- Eyona mpumelelo inkulu. Ibhaso lanikezelwa ku-Ilfak Gilfanov, umbhali we-IDA disassembler kunye ne-Hex-Rays decompiler, ngenxa yegalelo lakhe ekuphuhliseni izixhobo zabaphandi bezokhuseleko kunye nokukwazi kwakhe ukugcina imveliso isexesheni iminyaka eyi-30.
umthombo: opennet.ru