Ukukhishwa okulungile kokusatshalaliswa kwe-OpenWrt kushicilelwe и , lapho iqedwa khona (CVE-2020-7982) kumphathi wephakheji , okukuvumela ukuthi wenze ukuhlasela kwe-MITM bese ubuyisela okuqukethwe kwephakheji elandwe endaweni yokugcina. Ngenxa yephutha kukhodi yokuqinisekisa ye-checksum, umhlaseli angadala izimo lapho amashekeshi e-SHA-256 akhona kunkomba yephakethe esayiniwe ngokwedijithali azozitshwa, okwenza kube nokwenzeka ukudlula izindlela zokuhlola ubuqotho bezinsiza ze-ipk ezilandiwe.
Inkinga ibilokhu ivela kusukela ngoFebhuwari 2017, ngemuva kwalokho ikhodi yokuziba izikhala eziholayo ngaphambi kwe-checksum. Ngenxa yephutha lapho weqa izikhala, isikhombi sendawo emugqeni asizange sishintshwe futhi iluphu yokukhipha ikhodi yokulandelana kwe-hexadecimal ye-SHA-256 ngokushesha ibuyisele ukulawula futhi yabuyisela isheke lobude obuziro.
Njengoba umphathi wephakheji we-opkg ku-OpenWrt yethulwa ngamalungelo ezimpande, uma kwenzeka i-MITM ihlaselwa, umhlaseli angakwazi ukwenza izinguquko kuphakheji ye-ipk elandwe endaweni yokugcina ngenkathi umsebenzisi asebenzisa umyalo othi "opkg install", futhi ahlele ukukhishwa kwekhodi yakhe ngamalungelo ezimpande ngokungeza izikripthi zakho zesibambi kuphakheji, ebizwa ngesikhathi sokufakwa. Ukuxhaphaza ubungozi, umhlaseli kufanele futhi ahlele ukushintshwa kwenkomba yephakheji elungile nesayindiwe (isibonelo, ehlinzekwe ku-downloads.openwrt.org). Usayizi wephakheji elungisiwe kufanele ufane nosayizi wangempela ochazwe kunkomba.
Esimeni lapho udinga ukwenza ngaphandle kokubuyekeza yonke i-firmware, ungabuyekeza kuphela umphathi wephakheji we-opkg ngokusebenzisa imiyalo elandelayo:
cd / tmp
isibuyekezo se-opkg
i-opkg yokulanda i-opkg
zcat ./opkg-lists/openwrt_base | grep -A10 "Iphakheji: opkg" | grep SHA256sum
sha256sum ./opkg_2020-01-25-c09fe209-1_*.ipk
Okulandelayo, qhathanisa ama-checksum abonisiwe futhi uma afana, yenza:
opkg install ./opkg_2020-01-25-c09fe209-1_*.ipk
Izinguqulo ezintsha nazo zisusa eyodwa ngaphezulu emtapweni wezincwadi , okungaholela ekuchichimeni kwebhafa uma kucutshungulwa kumsebenzi idatha kanambambili efomethwe ngokukhethekile noma ye-JSON. Umtapo wolwazi usetshenziswa ezingxenyeni zokusabalalisa ezifana ne-netifd, i-procd, ubus, i-rpcd kanye ne-uhttpd, kanye nephakheji. (Ufunde ku-sysUpgrade CLI). Ukuchichima kwebhafa kwenzeka lapho izibaluli zezinombolo ezinkulu zohlobo "okukabili" zidluliselwa kumabhulokhi e-blob. Ungahlola ukuba sengozini kwesistimu yakho ekubeni sengozini ngokusebenzisa umyalo:
$ubus shayela u-luci getFeatures\
‘{“banik”: 00192200197600198000198100200400.1922 }’
Ngokungeziwe ekususeni ubungozi kanye nokulungisa amaphutha anqwabelene, ukukhishwa kwe-OpenWrt 19.07.1 kuphinde kwabuyekeza inguqulo ye-Linux kernel (kusuka ku-4.14.162 ukuya ku-4.14.167), yaxazulula izinkinga zokusebenza uma kusetshenziswa amafrikhwensi angu-5GHz, nosekelo oluthuthukisiwe lwe-Ubiquiti Rocket M. I-Titanium, amadivayisi we-Netgear WN2500RP v1,
Zyxel NSA325, Netgear WNR3500 V2, Archer C6 v2, Ubiquiti EdgeRouter-X, Archer C20 v4, Archer C50 v4 Archer MR200, TL-WA801ND v5, HiWiFi HC5962, Xiaomi Mi Router 3 Pro ne-Netgear 6350.
Source: opennet.ru
