UMathy Vanhoef, umbhali wokuhlasela kwe-KRACK kumanethiwekhi angenantambo, udalule ulwazi mayelana nokuba sengozini okungu-12 okuthinta amadivayisi ahlukahlukene angenantambo. Izinkinga ezihlonziwe zethulwa ngaphansi kwegama lekhodi elithi FragAttacks futhi zimboza cishe wonke amakhadi angenawaya kanye nezindawo zokufinyelela ezisetshenziswayo - kumadivayisi angu-75 ahloliwe, ngayinye yayisengozini yokuthola okungenani eyodwa yezindlela zokuhlasela ezihlongozwayo.
Izinkinga zihlukaniswe ngezigaba ezimbili: ubungozi obu-3 buhlonzwe ngokuqondile kumazinga e-Wi-Fi futhi bumboza wonke amadivayisi asekela amazinga amanje e-IEEE 802.11 (izinkinga zilandelelwe kusukela ngo-1997). 9 ubungozi buhlobene namaphutha namaphutha ekusetshenzisweni okuthile kwezitaki ezingenantambo. Ingozi eyinhloko imelelwa isigaba sesibili, njengoba ukuhlela ukuhlaselwa kokushiyeka kwamazinga kudinga ukuba khona kwezilungiselelo ezithile noma ukusebenza kwezenzo ezithile yisisulu. Bonke ubungozi buyenzeka ngokunganaki izimiso ezisetshenziswayo ukuze kuqinisekiswe ukuphepha kwe-Wi-Fi, okuhlanganisa nalapho usebenzisa i-WPA3.
Iningi lezindlela zokuhlasela ezikhonjiwe zivumela umhlaseli ukuthi ashintshe amafreyimu e-L2 kunethiwekhi evikelekile, okwenza kube nokwenzeka ukugoba kuthrafikhi yesisulu. Isimo sokuhlasela esingokoqobo siwukukhohlisa izimpendulo ze-DNS ukuze ziqondise umsebenzisi kumsingathi womhlaseli. Isibonelo siphinde sinikezwe sokusebenzisa ubungozi ukuze udlule umhumushi wekheli kumzila ongenantambo futhi uhlele ukufinyelela okuqondile kudivayisi kunethiwekhi yendawo noma uzibe imikhawulo yohlelo lokuvikela. Ingxenye yesibili yobungozi, ehlotshaniswa nokucutshungulwa kozimele abahlukanisiwe, yenza kube nokwenzeka ukukhipha idatha mayelana nethrafikhi kunethiwekhi engenantambo futhi kunqandwe idatha yomsebenzisi ethunyelwa ngaphandle kokubethela.
Umcwaningi ulungiselele umboniso obonisa ukuthi ubungozi bungasetshenziswa kanjani ukuze kunqandwe iphasiwedi edluliswayo uma ufinyelela isayithi nge-HTTP ngaphandle kokubethela. Iphinde ibonise ukuthi ungayihlasela kanjani isokhethi elihlakaniphile elilawulwa nge-Wi-Fi futhi ulisebenzise njengesisekelo ukuze uqhubeke nokuhlasela. kumadivayisi angabuyekeziwe kunethiwekhi yendawo anobungozi obungalungisiwe (isibonelo, bekungenzeka ukuhlasela ikhompuyutha engabuyekeziwe nge-Windows 7 kunethiwekhi yangaphakathi nge-NAT traversal).
Ukuxhaphaza ubungozi, umhlaseli kufanele abe phakathi kwebanga ledivayisi engenantambo eqondiwe ukuze athumele isethi yamafreyimu aklanywe ngokukhethekile kumuntu ohlukunyeziwe. Izinkinga zithinta kokubili amadivayisi weklayenti namakhadi angenantambo, kanye nezindawo zokufinyelela namarutha e-Wi-Fi. Ngokuvamile, ukusebenzisa i-HTTPS kuhlanganiswe nokubethela kwethrafikhi ye-DNS usebenzisa i-DNS phezu kwe-TLS noma i-DNS phezu kwe-HTTPS kwanele njengendlela yokusebenza. Ukusebenzisa i-VPN nakho kufanelekile ukuvikela.
Okuyingozi kakhulu ubungozi obune ekusetshenzisweni kwamadivayisi angenantambo, okuvumela izindlela ezingathi sína zokufeza ukushintshwa kwamafreyimu azo angabetheliwe:
- Ubungozi be-CVE-2020-26140 kanye ne-CVE-2020-26143 buvumela ukugcwala kozimele kwezinye izindawo zokufinyelela namakhadi angenantambo ku-Linux, Windows, ne-FreeBSD.
- I-Vulnerability VE-2020-26145 ivumela izingcezu ezisakazwayo ezingabetheliwe ukuthi zicutshungulwe njengozimele abagcwele ku-macOS, iOS kanye ne-FreeBSD kanye ne-NetBSD.
- I-Vulnerability CVE-2020-26144 ivumela ukucutshungulwa kozimele abangabetheliwe abahlanganiswe kabusha be-A-MSDU nge-EtherType EAPOL ku-Huawei Y6, Nexus 5X, FreeBSD kanye ne-LANCOM AP.
Obunye ubungozi ekusetshenzisweni buhlobene kakhulu nezinkinga okuhlangatshezwana nazo lapho kucutshungulwa ozimele abahlukanisiwe:
- I-CVE-2020-26139: Ivumela ukuqondiswa kabusha kozimele ngefulegi le-EAPOL elithunyelwe umthumeli ongagunyaziwe (ithinta izindawo zokufinyelela ezithenjwayo ezingu-2/4, kanye nezixazululo ezisekelwe ku-NetBSD ne-FreeBSD).
- I-CVE-2020-26146: ivumela ukuphinda kuhlanganiswe izingcezu ezibethelwe ngaphandle kokuhlola ukuhleleka kwenombolo yokulandelana.
- I-CVE-2020-26147: Ivumela ukuhlanganiswa kabusha kwezingcezu ezibethelwe nezingabhaliwe.
- I-CVE-2020-26142: Ivumela ozimele abahlukanisiwe ukuthi baphathwe njengozimele abagcwele (ithinta i-OpenBSD kanye nemojula engenantambo ye-ESP12-F).
- I-CVE-2020-26141: Ukuhlolwa kwe-TKIP MIC akukho kozimele abahlukanisiwe.
Izinkinga zokucaciswa:
- I-CVE-2020-24588 - ukuhlaselwa kozimele abahlanganisiwe (ifulegi elithi “lihlanganisiwe” alivikelekile futhi lingathathelwa indawo umhlaseli ngozimele be-A-MSDU ku-WPA, WPA2, WPA3 kanye ne-WEP). Isibonelo sokuhlasela okusetshenzisiwe ukuqondisa kabusha umsebenzisi kuseva ye-DNS enonya noma ukuvundla kwe-NAT.
- I-CVE-2020-245870 iwukuhlasela okuxubile okubalulekile (ukuvumela izingcezu ezibethelwe kusetshenziswa okhiye abahlukene ku-WPA, WPA2, WPA3 kanye ne-WEP ukuthi zihlanganiswe kabusha). Ukuhlasela kukuvumela ukuthi unqume idatha ethunyelwe iklayenti, isibonelo, unqume okuqukethwe kwekhukhi lapho ufinyelela nge-HTTP.
- I-CVE-2020-24586 iwukuhlasela kunqolobane yeziqephu (izindinganiso ezihlanganisa i-WPA, WPA2, WPA3 ne-WEP azidingi ukususwa kwezingcezu esezifakiwe kakade kunqolobane ngemva kokuxhumeka okusha kunethiwekhi). Ikuvumela ukuthi unqume idatha ethunyelwe iklayenti bese ushintsha idatha yakho.
Ukuhlola izinga lokuthatheka kwedivayisi yakho ezinkingeni, ikhithi yamathuluzi ekhethekile kanye nesithombe esibukhoma esenziwe ngomumo sokudala idrayivu ye-USB ebhuthayo sekulungisiwe. Ku-Linux, izinkinga zivela ku-mac80211 wireless mesh, abashayeli abangabodwana abangenazintambo, kanye ne-firmware elayishwe emakhadini angenantambo. Ukuze kuqedwe ubungozi, kuphakanyiswe isethi yamapeshi ehlanganisa isitaki se-mac80211 kanye nabashayeli be-ath10k/ath11k. Amanye amadivaysi, njengamakhadi e-Intel angenantambo, adinga isibuyekezo se-firmware esengeziwe.
Ukuhlolwa kwamadivayisi ajwayelekile:
Ukuhlolwa kwamakhadi angenantambo ku-Linux naku-Windows:
Ukuhlolwa kwamakhadi angenantambo ku-FreeBSD naku-NetBSD:
Abakhiqizi bazisiwe ngezinkinga ezinyangeni eziyisi-9 ezedlule. Isikhathi eside kangaka sokuvinjelwa sichazwa ukulungiselelwa okudidiyelwe kwezibuyekezo nokubambezeleka kokulungiswa kwezinguquko ezicacisweni zezinhlangano ze-ICASI kanye ne-Wi-Fi Alliance. Ekuqaleni, bekuhlelelwe ukudalula imininingwane ngoMashi 9, kodwa, ngemuva kokuqhathanisa ubungozi, kwanqunywa ukuthi kuhlehliswe ukushicilelwa kwezinye izinyanga ezimbili ukuze kunikezwe isikhathi esengeziwe sokulungiselela ama-patches, kucatshangelwa ubunjalo obungewona obuncane bezinguquko. olwenziwayo kanye nobunzima obuvela ngenxa yobhubhane lwe-COVID-19.
Kuyaphawuleka ukuthi naphezu kwe-embargo, i-Microsoft yalungisa ukukhubazeka okuthile ngaphambi kwesimiso ku-March Windows update. Ukudalulwa kolwazi kuhlehliswe isonto ngaphambi kosuku olwaluhleliwe futhi iMicrosoft yayingenaso isikhathi noma yayingafuni ukwenza izinguquko kusibuyekezo esihleliwe esilungele ukushicilelwa, okwadala usongo kubasebenzisi bamanye amasistimu, njengoba abahlaseli bengathola ulwazi mayelana ubungozi ngokuhlehlisa ubunjiniyela okuqukethwe kwezibuyekezo.
Source: opennet.ru