Iqembu labacwaningi abavela ku-Ledger, inkampani ekhiqiza izikhwama zehadiwe ze-cryptocurrency, ubungozi obuningana kumadivayisi we-HSM (), engasetshenziswa ukukhipha okhiye noma ukwenza ukuhlasela okukude ukuze kuthathelwe indawo i-firmware yedivayisi ye-HSM. Okwamanje ibika inkinga ngesiFulentshi kuphela, umbiko wolimi lwesiNgisi uhlelwa ngo-August phakathi nenkomfa ye-Blackhat USA 2019. I-HSM iyithuluzi langaphandle elikhethekile eliklanyelwe ukugcina okhiye basesidlangalaleni nabayimfihlo abasetshenziselwa ukukhiqiza amasiginesha edijithali kanye nokubethela idatha.
I-HSM ikuvumela ukuthi ukhuphule ukuphepha ngokuphawulekayo, njengoba ihlukanisa ngokuphelele okhiye ohlelweni nezinhlelo zokusebenza, ihlinzeka kuphela nge-API yokusebenzisa izinto zokuqala eziyisisekelo ze-cryptographic ezisetshenziswa ohlangothini lwedivayisi. Ngokuvamile, i-HSM isetshenziswa ezindaweni lapho izinga eliphezulu lokuvikeleka lidingeka khona, njengamabhange, ukushintshaniswa kwe-cryptocurrency, neziphathimandla zesitifiketi zokuqinisekisa nokukhiqiza izitifiketi namasignesha edijithali.
Izindlela zokuhlasela ezihlongozwayo zivumela umsebenzisi ongagunyaziwe ukuthi athole ukulawula okuphelele kokuqukethwe kwe-HSM, okuhlanganisa nokukhipha bonke okhiye be-cryptographic kanye nemininingwane yomlawuli egcinwe kudivayisi. Izinkinga zidalwa ukuchichima kwebhafa kusibambi somyalo sangaphakathi se-PKCS#11 kanye nephutha ekusetshenzisweni kokuvikela i-cryptographic firmware, okukuvumela ukuthi udlule ukuqinisekiswa kwe-firmware usebenzisa i-PKCS#1v1.5 isiginesha yedijithali bese uqalisa ukulayisha eyakho. firmware ku-HSM.
Njengokuboniswa, i-firmware eshintshiwe yalandwa, okwafakwa kuyo isicabha sangemuva, esihlala sisebenza ngemva kokufakwa okulandelayo kwezibuyekezo ze-firmware ezijwayelekile ezivela kumkhiqizi. Kusolwa ukuthi ukuhlasela kungenziwa ukude (indlela yokuhlasela ayicacisiwe, kodwa mhlawumbe isho ukufaka esikhundleni se-firmware elandiwe noma ukudlulisa izitifiketi ezikhishwe ngokukhethekile ukuze zicutshungulwe).
Inkinga ikhonjwe phakathi nokuhlolwa kwe-fuzz kokusetshenziswa kwangaphakathi kwemiyalo ye-PKCS#11 ehlongozwayo ku-HSM. Ukuhlola kwahlelwa ngokulayisha imojula yayo ku-HSM kusetshenziswa i-SDL evamile. Ngenxa yalokho, kutholwe ukuchichima kwe-buffer ekusetshenzisweni kwe-PKCS#11, okuvele ukuthi yasebenziseka hhayi kuphela endaweni yangaphakathi ye-HSM, kodwa futhi ngokufinyelela umshayeli we-PKCS#11 ohlelweni oluyinhloko lwekhompyutha. lapho kuxhunywe khona imojuli ye-HSM.
Okulandelayo, ukuchichima kwebhafa kwasetshenziswa ukuze kufakwe ikhodi ohlangothini lwe-HSM nokubhala phezu kwamapharamitha okufinyelela. Ngesikhathi socwaningo lokugcwaliswa, kutholwe obunye ubungozi obukuvumela ukuthi ulande i-firmware entsha ngaphandle kwesiginesha yedijithali. Ekugcineni, imojuli yangokwezifiso yabhalwa futhi yalayishwa ku-HSM, elahla zonke izimfihlo ezigcinwe ku-HSM.
Igama lomkhiqizi okukhonjwe kuwo ubungozi kumadivayisi e-HSM alikadalulwa, kodwa kusolwa ukuthi amadivayisi ayinkinga asetshenziswa amanye amabhange amakhulu nabahlinzeki besevisi yamafu. Kubikwa ukuthi ulwazi olumayelana nezinkinga luthunyelwe ngaphambili kumkhiqizi futhi usevele wabuqeda ubungozi kusibuyekezo sakamuva se-firmware. Abacwaningi abazimele baphakamisa ukuthi inkinga ingase ibe kumadivayisi avela kwaGemalto, ngoMeyi Isibuyekezo se-Sentinel LDK esisusa ubungozi, ukufinyelela olwazini olumayelana nalokho okusekhona namanje .
Source: opennet.ru