Ubuthathaka obuninzi bachongwa kwi-Realtek SDK

Darkcrizt

Imizuzu ye4

Mva nje Ulwazi olubalulekileyo lukhutshwe kubungozi obune kwi izinto ze-Realtek SDK, esetyenziswa ngabavelisi bezixhobo ezahlukeneyo ezingenazingcingo kwi-firmware yabo. Imiba efunyanisiweyo ivumela umhlaseli ongagunyaziswanga ukuba enze kude ikhowudi kwisixhobo esiphakamileyo.

Kuqikelelwa ukuba Imicimbi ichaphazela ubuncinci iimodeli ezingama-200 ezivela kubathengisi abangama-65 abohlukeneyo, kubandakanya iimodeli ezahlukeneyo zemizila engenazingcingo ezivela kwimveliso Asus, A-Link, Beeline, Belkin, Buffalo, D-Link, Edison, Huawei, LG, Logitec, MT -Link, Netgear, Realtek, Smartlink, UPVEL, ZTE kunye neZyxel.

Ingxaki kubandakanya iiklasi ezahlukeneyo ze-RTL8xxx SoC-based based devicesUkusuka kwii-routers ezingenazingcingo kunye ne-Wi-Fi amplifiers ukuya kwiikhamera ze-IP nakwizixhobo ezifanelekileyo zolawulo lokukhanyisa.

Izixhobo ezisekwe kwiitshipsi ze-RTL8xxx zisebenzisa uyilo olubandakanya ukufakelwa kwee-SoCs ezimbini: eyokuqala ifaka i-firmware esekwe kwiLinux, kwaye eyesibini iqhuba imeko eyahlukileyo yeLinux kunye nokuphunyezwa kwemisebenzi yendawo yokufikelela. Inani labemi bendawo yesibini esekwe kwizinto eziqhelekileyo ezinikezelwa yiRealtek kwi-SDK. Ezi zinto, phakathi kwezinye izinto, ziqhubekeka idatha efunyenwe njengesiphumo sokuthumela izicelo zangaphandle.

Ukuba sesichengeni chaphazela iimveliso zisebenzisa iRealtek SDK v2.x, Realtek "Jungle" SDK v3.0-3.4 kunye neRealtek "Luna" SDK ukuya kuhlobo 1.3.2.

Ngokumalunga nenxalenye yenkcazo yobuthathaka obuchongiweyo, kubalulekile ukuba uchaze ukuba ezimbini zokuqala zabelwa inqanaba lobunzima be-8.1 kunye nokunye, i-9.8.

  • I-CVE-2021-35392: Ukugcwala kwerefa kwi-mini_upnpd kunye neenkqubo ze-wscd ezisebenzisa ukusebenza kwe "WiFi Simple Config" (mini_upnpd iphatha i-SSDP kunye neepakethe ze-wscd, ngaphandle kokuxhasa i-SSDP, iphatha izicelo ze-UPnP ngokusekwe kwi-HTTP protocol). Ngale ndlela, umhlaseli unokufumana ikhowudi yakho iphunyezwe ngokuthumela ngokukodwa i-UPnP SUBSCRIBE izicelo ezinenombolo ephezulu kakhulu kwicandelo lokuphinda ubuye.
  • I-CVE-2021-35393: ukuba semngciphekweni kwe "WiFi Simple Config" yeemoto, ezibonakala xa zisebenzisa umthetho olandelwayo we-SSDP (isebenzisa i-UDP kunye nefomathi yesicelo efana ne-HTTP). Ingxaki ibangelwa kukusetyenziswa kwesixazululi esingagungqiyo se-512-byte xa kusetyenzwa ipharamitha "ST: upnp" kwimiyalezo ye-M-SEARCH ethunyelwe ngabathengi ukumisela ukubakho kweenkonzo kwinethiwekhi.
  • I-CVE-2021-35394: Kungumngcipheko kwinkqubo ye-MP Daemon, enoxanduva lokwenza imisebenzi yokuqonda isifo (ping, traceroute). Ingxaki ivumela ukufakwa kwemiyalelo yakho ngenxa yokungonelanga kokuqinisekiswa kweempikiswano xa usebenzisa izixhobo zangaphandle.
  • I-CVE-2021-35395: luthotho lokuba semngciphekweni konxibelelwano lwewebhu ngokusekwe kwi-http / bin / webs kunye / bin / kwiiseva ze-boa. Ubungozi obuqhelekileyo bachongwa kuzo zombini iiserver, ezibangelwa kukungabikho kokuqinisekiswa kwengxoxo ngaphambi kokwenza izixhobo zangaphandle zisebenzisa inkqubo () umsebenzi. Umahluko wehla kuphela ekusebenziseni ii-API ezahlukeneyo kuhlaselo.
    Bobabini abaqhubi khange babandakanye ukukhuselwa kuhlaselo lwe-CSRF kunye ne "rebinding DNS", evumela izicelo ukuba zithunyelwe zisuka kwinethiwekhi yangaphandle ngelixa zithintela ukufikelela kunxibelelwano kuphela kuthungelwano lwangaphakathi. Iinkqubo zikwasebenzisa isuphavayiza / i-akhawunti yesuphavayiza ngokungagqibekanga.

Ukulungiswa sele kukhutshiwe kwiRealtek "Luna" i-SDK yokuhlaziya i-1.3.2a, kunye ne-Realtek "Jungle" i-SDK patches nayo iyalungiselelwa ukukhutshwa. Akukho zilungiso zicwangcisiweyo zeRealtek SDK 2.x, njengoko ulungiso lweli sebe seluphelisiwe. Umsebenzi wokuxhaphaza iiprototypes zinikezelwe kubo bonke ubungozi, ebavumela ukuba baqhube ikhowudi yabo kwisixhobo.

Kwakhona, Ukuchongwa kobuthathaka obuninzi kwinkqubo ye-UDPServer kuyajongwa. Njengoko kwavela, enye yeengxaki sele ifunyenwe ngabanye abaphandi ngo-2015, kodwa ayizange ilungiswe ngokupheleleyo. Ingxaki ibangelwa kukusilela kokuqinisekiswa okufanelekileyo kweempikiswano ezidluliselwe kwinkqubo () umsebenzi kwaye unokuxhonywa ngokuthumela umgca onje nge 'orf; ls 'kwinethiwekhi yezibuko 9034.

Umthombo: https://www.iot-inspector.com


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.