Abacwaningi bakwa-Eset okuhlukile okusha (CVE-2020-3702) kokuba sengozini , esebenza kuma-chips angenantambo e-Qualcomm ne-MediaTek. Thanda , okuthinte ama-chips e-Cypress kanye ne-Broadcom, ukuba sengozini okusha kukuvumela ukuthi ukhiphe ukubethela okuvinjiwe kwethrafikhi ye-Wi-Fi evikelwe usebenzisa iphrothokholi ye-WPA2.
Masikhumbule ukuthi ukuba sengozini kwe-Kr00k kubangelwa ukucubungula okungalungile kokhiye bokubethela lapho idivayisi inqanyulwa (ihlukanisiwe) endaweni yokufinyelela. Enguqulweni yokuqala yokuba sengozini, lapho kunqanyulwa ukhiye weseshini (PTK) ogcinwe kumemori ye-chip uye wasethwa kabusha, njengoba ingekho enye idatha ezothunyelwa kuseshini yamanje. Kulokhu, idatha esele kubhafa yokudlulisela (TX) ibethelwe ngokhiye osusuliwe ohlanganisa kuphela oziro futhi, ngokufanelekile, ingasuswa ukubethela kalula phakathi nokungenela. Ukhiye ongenalutho usebenza kuphela kudatha eyinsalela ku-buffer, engamakhilobhayithi ambalwa ngosayizi.
Umehluko oyinhloko phakathi kwenguqulo yesibili yokuba sengozini, evela ku-Qualcomm kanye ne-MediaTek chips, ukuthi esikhundleni sokubethelwa ngokhiye ongu-zero, idatha ngemva kokuhlukaniswa idluliselwa ngokungabhaliwe nhlobo, naphezu kweqiniso lokuthi amafulegi wokubethela asethiwe. Kumadivayisi ahlolelwe ukukhubazeka ngokusekelwe kuma-chip e-Qualcomm, i-D-Link DCH-G020 Smart Home Hub kanye nomzila ovulekile kuye kwaphawulwa. . Kumadivayisi asekelwe kuma-chips e-MediaTek, irutha ye-ASUS RT-AC52U kanye nezixazululo ze-IoT ezisekelwe ku-Microsoft Azure Sphere esebenzisa i-microcontroller ye-MediaTek MT3620 zihloliwe.
Ukuxhaphaza zombili izinhlobo zobungozi, umhlaseli angathumela ozimele abakhethekile ababangela ukuhlukaniswa futhi abambe idatha ethunyelwe kamuva. Ukuzihlukanisa kuvame ukusetshenziswa kumanethiwekhi angenawaya ukushintsha ukusuka endaweni eyodwa ukuya kwenye ngenkathi uzulazula noma lapho kulahleka ukuxhumana nendawo yokufinyelela yamanje. Ukuzihlukanisa kungabangelwa ukuthumela ifreyimu yokulawula, edluliselwa ingabhaliwe futhi ayidingi ukuqinisekiswa (umhlaseli udinga kuphela ukufinyelela kwesignali ye-Wi-Fi, kodwa akadingi ukuxhunywa kunethiwekhi engenantambo). Ukuhlasela kungenzeka kokubili lapho idivayisi yeklayenti esengozini ifinyelela indawo yokufinyelela engenangozi, futhi lapho idivayisi engathinteki ifinyelela indawo yokufinyelela ebonisa ukuba sengozini.
Ukuba sengozini kuthinta ukubethela ezingeni lenethiwekhi engenantambo futhi kukuvumela ukuthi uhlaziye kuphela ukuxhumana okungavikelekile okusungulwe umsebenzisi (isibonelo, i-DNS, i-HTTP nethrafikhi yemeyili), kodwa akukuvumeli ukuthi ufaka engcupheni ukuxhumana ngokubethela ezingeni lesicelo (HTTPS, I-SSH, i-STARTTLS, i-DNS nge-TLS, i-VPN nokunye.). Ingozi yokuhlaselwa iphinde yehliswe yiqiniso lokuthi ngesikhathi umhlaseli angakwazi ukuhlehlisa kuphela amakhilobhayithi ambalwa edatha eyayiku-buffer yokudlulisela ngesikhathi sokunqanyulwa. Ukuze uthwebule ngempumelelo idatha eyimfihlo ethunyelwe ngoxhumano olungavikelekile, umhlaseli kufanele azi kahle ukuthi ithunyelwe nini, noma aqhubeke aqale ukunqamula indawo yokufinyelela, okuzoba sobala kumsebenzisi ngenxa yokuqalwa kabusha okuqhubekayo kokuxhumana okungenantambo.
Inkinga yalungiswa ekubuyekezweni kukaJulayi kwabashayeli abaphathelene nama-chips e-Qualcomm kanye nokubuyekezwa kuka-April kwabashayeli bama-chips e-MediaTek. Ukulungiswa kwe-MT3620 kwahlongozwa ngoJulayi. Abacwaningi abahlonze inkinga abanalo ulwazi mayelana nokufakwa kwezilungiso kumshayeli we-ath9k wamahhala. Ukuhlola amadivayisi ukuvezwa kukho kokubili ubungozi ngolimi lwePython.
Ukwengeza, kungaphawulwa Abacwaningi abavela ku-Checkpoint bahlonze ubungozi obuyisithupha kuma-chip e-Qualcomm DSP, asetshenziswa kuma-smartphones angu-40%, okuhlanganisa namadivayisi asuka ku-Google, Samsung, LG, Xiaomi kanye ne-OnePlus. Imininingwane emayelana nokuba sengozini ngeke inikezwe kuze kube yilapho izinkinga sezixazululwe abakhiqizi. Njengoba i-chip ye-DSP “iyibhokisi elimnyama” elingakwazi ukulawulwa umkhiqizi wama-smartphone, ukulungisa kungase kuthathe isikhathi eside futhi kuzodinga ukusebenzisana nomkhiqizi we-DSP chip.
Ama-chips e-DSP asetshenziswa kuma-smartphone esimanje ukwenza imisebenzi efana nokucutshungulwa komsindo, isithombe nevidiyo, kukhompyutha yezinhlelo zangempela ezithuthukisiwe, umbono wekhompyutha nokufunda ngomshini, kanye nokusebenzisa imodi yokushaja okusheshayo. Phakathi kokuhlaselwa okuvumela ukuba sengozini okuhlonziwe kubaluliwe: Ukudlula uhlelo lokulawula ukufinyelela - ukuthwebula okungabonwa kwedatha njengezithombe, amavidiyo, ukurekhodwa kwezingcingo, idatha evela kumakrofoni, i-GPS, njll. Ukwenqatshelwa kwesevisi - ukuvimbela ukufinyelela kulo lonke ulwazi olugciniwe. Ukufihla umsebenzi omubi - ukudala izingxenye ezinonya ezingabonakali ngokuphelele nezingasuseki.
Source: opennet.ru