Kwi-ASU (Attended SysUpgrade) toolkit ephuhliswe yiprojekthi ye-OpenWrt, ubuthathaka obubalulekileyo buchongiwe (CVE-2024-54143), obuvumela izinto zokwenziwa kwendibano eziyekelelayo ezisasazwa ngenkonzo ye-sysupgrade.openwrt.org okanye iiseva ze-ASU zeqela lesithathu, kunye nokuphumelela ufakelo lwemifanekiso ye-firmware eguqulweyo ngumhlaseli kwiinkqubo zomsebenzisi , usebenzisa imowudi "yokuhlaziywa" ukuhlaziya i-firmware ngojongano lwewebhu. selector.openwrt.org okanye isixhobo selayini yomyalelo.
Ukwenza ngempumelelo uhlaselo, umhlaseli ufuna kuphela ukuthumela isicelo sokuvelisa indibano kwiseva ye-ASU (nawuphi na umsebenzisi unokuthumela izicelo ezinjalo ngaphandle kokuqinisekiswa). Ngokulawula uluhlu oluyilwe ngokukodwa lweepakethe, umhlaseli unokulungiselela ukuba kuthunyelwe imifanekiso ekhohlakeleyo ebiveliswe ngaphambili ngokuphendula izicelo zokwakha ezisemthethweni ezivela kwabanye abasebenzisi.
Inkonzo ye-ASU isetyenziswa kwi-OpenWrt ukuvelisa kunye nokufaka uhlaziyo lwe-firmware ngaphandle kokulahlekelwa iisetingi ezikhoyo kunye neepakethe ezifakwe ngumsebenzisi. Ngokusebenzisa ujongano lwewebhu okanye isixhobo somgca womyalelo, umsebenzisi uthumela isicelo sokuvelisa umfanekiso ohlaziyiweyo we-firmware, ebonisa iipakethe ezifakwe kwinkqubo yakhe. Emva kwexesha elithile, iseva ye-ASU ivelisa umfanekiso ohambelana nomxholo omiselweyo, emva koko umsebenzisi awukhuphele kwaye awukhanyise kwisixhobo sakhe. Ukongeza, kukho inketho ekuvumela ukuba ugcine izicwangciso ezikhoyo kwi-firmware ehlaziyiweyo.
I-ASU Server inoxanduva lokucubungula izicelo zomsebenzisi, ukuqalisa ukwakhiwa kwemifanekiso ye-firmware ngokuzenzekelayo kusetyenziswa izixhobo ze-ImageBuilder kunye nokugcina i-cache yezakhiwo ezilungiselelwe ngaphambili. Ukuba umsebenzisi ucela umfanekiso osele wakhelwe phezu kwawo umncedisi kwaye ihlala ifanelekile, inkqubo ibuyisela ngoko nangoko umfanekiso okhoyo kwi-cache ngaphandle kokuqala inkqubo yokwakha.
Ukuziphatha kohlaselo kwenziwe kwenzeke ngenxa yobuthathaka obubini:
- Ukuba sesichengeni kwi-build_reques.py isicelo sesibambi esivela kwi-Imagebuilder toolkit, evumela ukutshintshwa kwemiyalelo yakhe kwinkqubo yokwakha ngokuthi umsebenzisi agqithise amagama ephakheji afomathwe ngokukodwa. Ukuba sesichengeni kubangelwa kukunqongophala koqwalaselo olululo lwabalinganiswa abakhethekileyo kumagama epakethe phambi kokuba uwasebenzise njengeengxoxo ukwenza into eluncedo. Kuthatha ithuba lobu buthathaka, umhlaseli angenza imifanekiso ekhohlakeleyo ye-firmware kwiseva esayinwe ngeqhosha elichanekileyo lendibano.
- Ukuba semngciphekweni kwithala leencwadi le-util.py okubangelwa kukuba i-SHA-256 hashes, esetyenziselwa ukujonga ubukho bemifanekiso ye-firmware esele yenziwe kwi-cache, yanqunyulwa yaya kwiimpawu ezili-12, eziye zanciphisa kakhulu izinga le-entropy kwaye zenza ukuba kwenzeke. , ngokhetho longquzulwano, ukwenza umfanekiso okhohlakeleyo onehashi ehambelanayo ngendlela esemthethweni. Idityaniswe nobungozi kwi-Imagebuilder, ingxaki ene-hashes inokusetyenziswa ngumhlaseli "ukungcolisa" i-cache ye-ASU Server kunye nokubeka imifanekiso enobungozi kuyo ebuyiselwa kwizicelo ezivela kubasebenzisi abaqhelekileyo.
Utshintsho oluvumele ukuba uhlaselo lwenzeke lwenziwe ngomhla wesi-8 kuJulayi. Lo mbandela walungiswa ngomhla wesi-4 kuDisemba. Kwasetyenziswa amanyathelo okhuseleko ahlukeneyo ukuqinisekisa ukusebenza kwenkonzo ye-ASU. iiseva, ezingadibaniyo neenkqubo zokwakha eziphambili zeprojekthi, zahlulwe kwi-OpenWrt Buildbot, kwaye azinalo ukufikelela kwizixhobo eziyimfihlo ezifana nezitshixo ze-SSH kunye nezatifikethi zokwenza iisignitsha zedijithali.
Kutyholwa ukuba abaphuhlisi be-OpenWrt abafumananga mkhondo wokuthotywa kwesiseko seprojekthi, kodwa ukuba babe kwicala elikhuselekileyo, baphinde bafaka iinkqubo apho amacandelo asemngciphekweni ayesebenza ukusuka ekuqaleni. Ingxaki ayizange ichaphazele imifanekiso esemthethweni esasazwa kwiwebhusayithi downloads.openwrt.org, kwaye xa uhlalutya iilogi zendibano, akukho mikhondo yezicelo ezinobungozi ezifunyenweyo. Kwangelo xesha, ekubeni iiseva ze-ASU zicoca ngokuzenzekelayo iindibano ezindala kuneentsuku ezi-7, kuye kwabonakala kungenakwenzeka ukuphicotha iindibano ezindala.
Amathuba okusebenzisa ubuthathaka obuchongiweyo ekusebenzeni ukusasaza imifanekiso ekhohlakeleyo ngesiseko se-OpenWrt sivavanywa ngabameli be-OpenWrt kufutshane ne-zero, nangona kunjalo, abasebenzisi be-ASU bayacetyiswa ukuba bathathe indawo ye-OpenWrt firmware kwizixhobo zabo ngohlobo olufanayo.
umthombo: opennet.ru
