Musiyano mutsva weNAT kutsvetera kurwisa kwakaziviswa, iyo inobvumidza kumisikidza network yekubatanidza kubva kune yeanorwisa server kune chero UDP kana TCP chiteshi pane yemushandisi system iyo yakavhura iyo peji rewebhu rakagadzirwa neanorwisa mubrowser.
Kurwisa inobvumira uyo anorwisa kutumira chero dhata kune chero mushandisi chiteshi, zvisinei nekushandiswa kwenzvimbo yemunhu ari mukati yekero muhurongwa hweanotambudzwa, kupinda kune network kubva kwaakavharwa zvakananga uye zvinogoneka chete kuburikidza nemuturikiri wekero.
Iyo inoshanda musimboti yeshanduro nyowani neNAT inotsvedza kurwisa (CVE-2021-23961, CVE-2020-16043) uyezvakafanana nenzira yekutanga, misiyano inoderedzwa kusvika mukushandisa mamwe maratidziro, ayo anogadziriswa neALG (Yekushandisa Chikamu Masuwo).
Mukutanga kwakasiyana kwekurwisa, kupusisa ALG, kumanikidza kweSIP protocol kwakashandiswa, iyo inoshandisa akati wandei madoko enethiwekhi (imwe yedata uye imwe yekutonga). Sarudzo yechipiri inobvumira maitiro akafanana neiyo VoIP H.323 protocol, iyo inoshandisa TCP port 1720.
Zvakare, yechipiri vhezheni inotsvaga hunyanzvi hwekupfuura runyorwa rwezviteshi zvisingagamuchiriki yekushandisa neTURN (Traversal Using Relays kutenderedza NAT) protocol, iyo inoshandiswa muWebRTC kutaurirana pakati pemhare mbiri kuseri kwemaNAT akasiyana.
TENGA kubatana muWebRTC kunogona kusimbiswa kuburikidza nemabhurawuza kwete chete yeUDP, asiwo neTCP uye enda kune chero network TCP port.
Ichi chimiro inobvumira iyo NAT kutsvedza kurwisa kuti ishandiswe kwete chete kuH.323, asiwo kune chero imwe yakasanganiswa protocolsenge FTP ne IRC, ayo anosanganisirwa mune runyorwa rwezviteshi izvo zvisingabvumirwe kupinda kuburikidza neHTTP, asi zvisina kuisirwa mune runyorwa rwezviteshi zvakarambidzwa zveTURN.
Maitiro zvakare inobvumidza kupfuura kudzivirirwa kwakawedzerwa kune mabhurawuza kupokana nekutanga kurwisa kweNAT kurira, zvichibva pakuramba zvikumbiro zveHTTP kuchiteshi 5060 (SIP).
Dambudziko ratogadziriswa mushanduro dzichangoburwa dzeFirefox 85, Chrome 87.0.4280.141, Edge 87.0.664.75, uye Safari 14.0.3.
Pamusoro penzvimbo dzenhare dzinobatana neiyo H.323 protocol, mabhurawuza akavharirwawo kutumira HTTP, HTTPS, uye FTP zvikumbiro kuTCP zviteshi 69, 137, 161, uye 6566.
MuLinux kernel, mashandiro eiyo conntrack ALG module mu netfilter yakaremara nekusarudzika kubvira vhezheni 4.14, kureva Nekusavimbika, vashanduri vekero zvinoenderana neLinux kernels nyowani havana kukanganiswa nedambudziko.
Somuenzaniso, OpenWRT haina kukanganiswa nedambudziko kunyangwe kana uchiisa mapakeji nema ALG ma module. Panguva imwecheteyo, kushomeka kunozviratidza mukugovaniswa kweVyOS, iyo inoshandisa iyo Linux 4.14 kernel, asi iyo nf_conntrack_helper mureza inobvumidzwa zvakajeka, iyo inokonzeresa ALG yeFTP uye H.323.
Dambudziko zvakare inokanganisa akawanda ma routers evatengesi anotumira neakakura Linux kernels kana iyo inoshandura iyo ALG marongero. Kugona kugona kwakasimbiswa zvakare kuFortinet (FG64, 60E), Cisco (csr1000, ASA), uye HPE (vsr1000) Hardware-based enterprise firewalls uye kero vashanduri.
Sechiyeuchidzo, kuita kurwisa kweNAT kutsvetera, zvinokwana kuti munhu akabiwa atange kodhi yeJavaScript yakagadzirirwa neanorwisa, semuenzaniso nekuvhura peji pane webhusaiti yeanorwisa kana kutarisa yakashata yekushambadzira pawebhusaiti. Zviri pamutemo.
Kurwiswa uku kune zvikamu zvitatu:
- Muchikamu chekutanga, anorwisa anowana ruzivo nezve kero yemukati yemushandisi, iyo inogona kutariswa neWebRTC kana, kana WebRTC yakaremara, nekurwisa kwechisimba nekuyera kwenguva yekupindura kana uchikumbira mufananidzo wakavanzika.
- Muchikamu chechipiri, iyo mapaketi ekuparadzaniswa parameter akatsanangurwa, yeiyo kodhi yeJavaScript yakaitwa mubrowser yemuridzi inogadzira chikumbiro chakakura cheHTTP POST (icho chisingakwani mupaketi) kuseva yemurwisi, ichishandisa isiri-standard network port nhamba kutanga kumisikidzwa kwezvikamu zvematanho eTCP neMTU saizi mudura reTCP yemuridzi.
- Muchikamu chechitatu, JavaScript kodhi inogadzira uye inotumira chikumbiro chakasarudzika cheHTTP (kana TURN yeUDP) kune inorwisa sevha TCP chiteshi 1720 (H.323), iyo, mushure mekuparadzaniswa, ichatsemuka kuva mapaketi maviri: yekutanga inosanganisira HTTP Misoro uye chikamu che data, uye yechipiri inogadzira pakiti Yakakodzera H .323, iyo ine IP yemukati yemunhu akabatwa.
mabviro: https://www.armis.com