NgoFebhuwari Inkundla ye-Android inkinga ebalulekile ilungisiwe (CVE-2020-0022) kusitaki se-Bluetooth, esivumela ukwenziwa kwekhodi okukude ngokuthumela iphakethe le-Bluetooth eliklanywe ngokukhethekile. Inkinga ingabonwa umhlaseli phakathi kwebanga le-Bluetooth. Kungenzeka ukuthi ubungozi bungasetshenziswa ukudala izikelemu ezithelela izinto ezingomakhelwane ngeketango.
Ukuze uthole ukuhlaselwa, kwanele ukwazi ikheli le-MAC ledivayisi yesisulu (ukubhanqa kwangaphambili akudingeki, kodwa i-Bluetooth kufanele ivulwe kudivayisi). Kwamanye amadivaysi, ikheli le-Bluetooth MAC lingabalwa ngokusekelwe ekhelini le-Wi-Fi MAC. Uma ubungozi buxhashazwa ngempumelelo, umhlaseli angasebenzisa ikhodi yakhe ngamalungelo enqubo yangemuva exhumanisa ukusebenza kwe-Bluetooth ku-Android.
Inkinga iqondene ngqo nesitaki se-Bluetooth esisetshenziswa ku-Android (kusekelwe kukhodi evela kuphrojekthi ye-BlueDroid evela ku-Broadcom) futhi ayiveli kusitaki se-BlueZ esisetshenziswa ku-Linux.
Abacwaningi abahlonze inkinga bakwazile ukulungiselela isibonelo sokusebenza sokuxhashazwa, kodwa imininingwane yokuxhashazwa izoba kamuva, ngemva kokuba ukulungiswa sekukhishwe iningi labasebenzisi. Kwaziwa kuphela ukuthi ubungozi bukhona kukhodi yokwakha kabusha amaphakheji kanye ukubala okungalungile kosayizi wamaphakethe we-L2CAP (Logical link control and adaptation protocol) amaphakethe, uma idatha ehanjiswe umthumeli idlula usayizi olindelekile.
Ku-Android 8 no-9, inkinga ingaholela ekusebenziseni ikhodi, kodwa ku-Android 10 ikhawulelwe ekuphahlazekeni kwenqubo yangemuva ye-Bluetooth. Ukukhishwa okudala kwe-Android kungase kuthinteke kule nkinga, kodwa ukusebenziseka kokuba sengozini akukakahlolwa. Abasebenzisi bayelulekwa ukuthi bafake isibuyekezo se-firmware ngokushesha ngangokunokwenzeka, futhi uma lokhu kungenzeki, cisha i-Bluetooth ngokuzenzakalelayo, uvimbele ukutholwa kwedivayisi, futhi uvule i-Bluetooth ezindaweni zomphakathi kuphela uma kunesidingo (okuhlanganisa nokufaka ama-headphone angenantambo esikhundleni sawo).
Ngaphezu kwenkinga ephawuliwe ku Isethi yokulungiswa kokuvikeleka kwe-Android isuse ukuba sengozini okungu-26, okunye ukuba sengozini (CVE-2020-0023) kwanikezwa ileveli ebucayi yengozi. Ukuba sengozini kwesibili nakho Isitaki se-Bluetooth futhi sihlotshaniswa nokucubungula okungalungile kwelungelo le-BLUETOOTH_PRIVILEGED ku-setPhonebookAccessPermission. Mayelana nokuba sengozini okumakwe njengokuyingozi enkulu, izinkinga eziyisi-7 zasingathwa kuzinhlaka nezinhlelo zokusebenza, ezi-4 ezingxenyeni zesistimu, ezi-2 ku-kernel, nezingu-10 emthonjeni ovulekile kanye nezingxenye zobunikazi zama-chips e-Qualcomm.
Source: opennet.ru