Ubungozi buphawulwe kumaphakheji avuliwe IWD (Intel inet Wireless Daemon) kanye ne-wpa_supplicant, asetshenziselwa ukuhlela ukuxhumeka kwamasistimu eklayenti e-Linux kunethiwekhi engenantambo, okuholela ekudluleni kwezindlela zokuqinisekisa:
- Ku-IWD, ukuba sengozini (CVE-2023-52161) kubonakala kuphela uma imodi yephoyinti lokufinyelela ivuliwe, engajwayelekile ku-IWD, evame ukusetshenziselwa ukuxhuma kumanethiwekhi angenantambo. Ukuba sengozini kukuvumela ukuthi uxhume endaweni yokufinyelela edaliwe ngaphandle kokwazi iphasiwedi, isibonelo, lapho umsebenzisi enikeza ngokusobala ikhono lokufinyelela inethiwekhi ngedivayisi yakhe (Hotspot). Inkinga ilungisiwe ku-IWD version 2.14.
Ukuba sengozini kubangelwa ukwehluleka ukuhlola kahle ukuhleleka kwazo zonke izinyathelo phakathi nezinyathelo ezi-4 zezingxoxo zesiteshi sokuxhumana ezisetshenziswa lapho kuxhunywa okokuqala kunethiwekhi engenantambo evikelekile. Ngenxa yokuthi i-IWD yamukela imilayezo yanoma yiziphi izigaba zokuxoxisana ngaphandle kokuhlola ukuthi isigaba sangaphambilini sesiqediwe, umhlaseli angakwazi ukudlula ukuthumela umlayezo wesigaba sesibili futhi ngokushesha athumele umlayezo wesigaba sesine futhi athole ukufinyelela kunethiwekhi. , yeqa isiteji lapho ukuqinisekiswa kuhlolwa khona.
Kulokhu, i-IWD izama ukuqinisekisa ikhodi ye-MIC (Ikhodi Yobuqotho Bomlayezo) yomlayezo otholiwe wesigaba sesine. Njengoba umlayezo wesigaba sesibili onemingcele yokuqinisekisa ungazange wamukelwe, lapho kusetshenzwa umlayezo wesiteji sesine, ukhiye we-PTK (Pairwise Transient Key) usethelwe kuqanda. Ngokufanelekile, umhlaseli angakwazi ukubala i-MIC esebenzisa i-null PTK, futhi le khodi yokuqinisekisa izokwamukelwa yi-IWD njengevumelekile. Ngemva kokuqeda le ngxoxo yokuxhumana eyingxenye, umhlaseli uzoba nokufinyelela okugcwele kunethiwekhi engenantambo, njengoba indawo yokufinyelela izothola amafreyimu ayithumelayo, abethelwe ngokhiye ongenalutho we-PTK.
- Inkinga ehlonzwe ku-wpa_supplicant (CVE-2023-52160) ivumela umhlaseli ukuthi ayenge umsebenzisi kunethiwekhi engenantambo eqanjiwe eyi-clone yenethiwekhi umsebenzisi ahlose ukuxhuma kuyo. Uma umsebenzisi exhuma kunethiwekhi mbumbulu, umhlaseli angakwazi ukuhlela ukuvinjwa kwethrafikhi yezokuthutha engabhaliwe yomsebenzisi (isibonelo, ukufinyelela kumasayithi angenayo i-HTTPS).
Ngenxa yephutha ekusetshenzisweni kwephrothokholi ye-PEAP (Protected Extensible Authentication Protocol), umhlaseli angeqa isigaba sesibili sokuqinisekisa lapho exhuma idivayisi yomsebenzisi elungiselelwe ngokungalungile. Ukudlula isigaba sesibili sokuqinisekisa kuvumela umhlaseli ukuthi enze i-clone mbumbulu yenethiwekhi ye-Wi-Fi ethenjwayo futhi avumele umsebenzisi ukuthi axhume kunethiwekhi mbumbulu ngaphandle kokuhlola iphasiwedi.
Ukuze wenze ngempumelelo ukuhlasela ku-wpa_supplicant, ukuqinisekiswa kwesitifiketi se-TLS seseva kufanele kukhutshazwe ngasohlangothini lomsebenzisi, futhi umhlaseli kufanele azi isihlonzi senethiwekhi engenantambo (i-SSID, Isihlonzi Sesethi Yesevisi). Kulokhu, umhlaseli kufanele abe phakathi kobubanzi be-adaptha engenantambo yesisulu, kodwa abe ngaphandle kwendawo yokufinyelela yenethiwekhi engenantambo ehlanganisiwe. Ukuhlasela kungenzeka kumanethiwekhi ane-WPA2-Enterprise noma i-WPA3-Enterprise esebenzisa iphrothokholi ye-PEAP.
Onjiniyela be-wpa_supplicant baveze ukuthi abayithathi inkinga njengobungozi, njengoba yenzeka kuphela kumanethiwekhi angenawaya angalungiselelwe kahle asebenzisa ukuqinisekiswa kwe-EAP ngokuhlangana ne-PEAP (EAP-TTLS) ngaphandle kokuqinisekisa isitifiketi se-TLS seseva. Ukucushwa ngaphandle kokuqinisekisa isitifiketi akuvikelekile ekuhlaselweni okusebenzayo. Labo abathole ukuba sengozini bathi izilungiselelo ezinjalo ezingalungile zivamile futhi zisabalele, okubeka i-Linux, i-Android ne-Chrome OS amadivayisi wabathengi asebenzisa i-wpa_supplicant engcupheni.
Ukuze uvimbele inkinga ku-wpa_supplicant, kukhishwe ipheshi elengeza imodi yokudlula okuyisibopho kwesigaba sesibili sokufakazela ubuqiniso, ngaphezu kokuhlola isitifiketi se-TLS. Ngokwabathuthukisi, uguquko oluhlongozwayo luwuhlelo lokusebenza olunzima ukuhlasela uma usebenzisa ukufakazela ubuqiniso bezandla futhi alusizi uma usebenzisa izinketho ezifana ne-EAP-GTC. Ukuxazulula inkinga ngempela, abaphathi benethiwekhi kufanele balethe ukucushwa kwabo ngendlela efanele, i.e. lungisa uchungechunge lokuthembana ukuze uqinisekise isitifiketi seseva usebenzisa ipharamitha ye-ca_cert.
Source: opennet.ru