NgoFebruwari Iqonga le-Android ingxaki ebalulekileyo ilungisiwe (CVE-2020-0022) kwi-Bluetooth stack, evumela ukuphunyezwa kwekhowudi ekude ngokuthumela ipakethi yeBluetooth eyenzelwe ngokukodwa. Ingxaki ayinakubonwa ngumhlaseli ngaphakathi koluhlu lweBluetooth. Kusenokwenzeka ukuba ubuthathaka bunokusetyenziswa ukwenza iintshulube ezosulela izixhobo ezingabamelwane kwitsheyini.
Ukuhlaselwa, kwanele ukwazi idilesi ye-MAC yesixhobo sexhoba (i-pre-pairing ayifuni, kodwa iBluetooth kufuneka ivulwe kwisixhobo). Kwezinye izixhobo, idilesi yeBluetooth MAC inokubalwa ngokusekelwe kwidilesi ye-MAC ye-Wi-Fi. Ukuba ubuthathaka buxhatshazwe ngempumelelo, umhlaseli angenza ikhowudi yakhe ngamalungelo enkqubo yangasemva elungelelanisa ukusebenza kweBluetooth kwi-Android.
Ingxaki ikhethekileyo kwisitaki seBluetooth esisetyenziswa kwi-Android (ngokusekwe kwikhowudi esuka kwiprojekthi yeBlueDroid evela kwiBroadcom) kwaye ayiveli kwisitaki seBlueZ esisetyenziswe kwiLinux.
Abaphandi abachonge ingxaki bakwazi ukulungiselela iprototype esebenzayo yokuxhaphaza, kodwa iinkcukacha zokuxhaphaza ziya kuba kamva, emva kokuba ukulungiswa kukhutshelwe uninzi lwabasebenzisi. Kuyaziwa kuphela ukuba ubuthathaka bukhona kwikhowudi yokwakha kwakhona iiphakheji kunye ukubala okungalunganga kobukhulu be-L2CAP (I-Logical link control and adaptation protocol) iipakethi, ukuba idatha ehanjiswe ngumthumeli idlula ubungakanani obulindelekileyo.
Kwi-Android 8 kunye ne-9, ingxaki inokukhokelela ekuqhutyweni kwekhowudi, kodwa kwi-Android 10 inqunyelwe ukuphahlazeka kwenkqubo yeBluetooth yangasemva. Ukukhutshwa kwakudala kwe-Android kunokuchaphazeleka ngumba, kodwa ukuxhaphazwa kobuthathaka akuvavanywanga. Abasebenzisi bayacetyiswa ukuba bafakele uhlaziyo lwe-firmware ngokukhawuleza, kwaye ukuba oku akunakwenzeka, cima iBluetooth ngokungagqibekanga, uthintele ukufunyanwa kwesixhobo, kwaye uvule iBluetooth kwiindawo zikawonke-wonke kuphela xa kukho imfuneko (kubandakanywa nokutshintsha ii-headphones ezingenazingcingo ezinengcingo).
Ukongeza kwingxaki ephawulweyo kwi Iseti yolungiso lokhuseleko lwe-Android yasusa ubuthathaka obungama-26, apho omnye ubuthathaka (CVE-2020-0023) yabelwa inqanaba elibalulekileyo lengozi. Ubuthathaka besibini bukwanjalo Isitaki seBluetooth kwaye sinxulunyaniswa nokusetyenzwa ngendlela engachanekanga kwelungelo le-BLUETOOTH_PRIVILEGED kwi-setPhonebookAccessPermission. Ngokubhekiselele kubuthathaka obubonakaliswe njengomngcipheko ophezulu, imiba ye-7 yaqwalaselwa kwizicwangciso kunye nezicelo, i-4 kumacandelo enkqubo, i-2 kwi-kernel, kunye ne-10 kwimithombo evulekileyo kunye nezixhobo zobunikazi kwii-chips ze-Qualcomm.
umthombo: opennet.ru