Muva nje imininingwane ebalulekile ikhishwe ngobungozi obune ku izingxenye ze-Realtek SDK, esetshenziswa ngabakhiqizi bezinto ezahlukahlukene ezingenantambo ku-firmware yabo. Izingqinamba ezitholakele zivumela isihlaseli esingaqinisekisiwe ukuthi sisebenzise ikhodi ukude kudivayisi ephakeme.
Kulinganiselwa ukuthi izingqinamba zithinta okungenani amamodeli wedivayisi angama-200 avela kubathengisi abahlukahlukene abangama-65, kufaka phakathi amamodeli ahlukahlukene wama-routers angenantambo avela kumikhiqizo ye-Asus, A-Link, Beeline, Belkin, Buffalo, D-Link, Edison, Huawei, LG, Logitec, MT -Link, Netgear, Realtek, Smartlink, UPVEL, ZTE neZyxel.
Inkinga ifaka phakathi amakilasi ahlukahlukene wamadivayisi angenantambo we-RTL8xxx SoCKusuka kuma-routers angenantambo nakuma-Wi-Fi amplifiers kuya kumakhamera we-IP namadivayisi ahlakaniphile wokulawula ukukhanyisa.
Amadivayisi asuselwa kuma-chips we-RTL8xxx asebenzisa ukwakhiwa okubandakanya ukufakwa kwama-SoC amabili: owokuqala ufaka i-firmware yomkhiqizi we-Linux, bese owesibili eqhuba imvelo ehlukile yeLinux ehlukile ngokuqaliswa kwemisebenzi yendawo yokufinyelela. Isibalo semvelo yesibili sincike ezintweni ezijwayelekile ezinikezwe yiRealtek ku-SDK. Lezi zingxenye, phakathi kwezinye izinto, zicubungula idatha etholwe njengomphumela wokuthumela izicelo zangaphandle.
Ukuba sengozini thinta imikhiqizo esebenzisa i-Realtek SDK v2.x, Realtek "Jungle" SDK v3.0-3.4 neRealtek "Luna" SDK kuze kube yinguqulo 1.3.2.
Mayelana nengxenye yencazelo yobuthakathaka obukhonjiwe, kubalulekile ukuthi sisho ukuthi ababili bokuqala babelwa izinga lobunzima lika-8.1 kanti abanye, 9.8.
- I-CVE-2021-35392: Ukugcwala kwebuffer kuzinqubo ze-mini_upnpd ne-wscd ezisebenzisa ukusebenza kwe- "WiFi Simple Config" (mini_upnpd iphatha i-SSDP namaphakethe e-wscd, ngaphandle kokusekela i-SSDP, iphatha izicelo ze-UPnP ngokususelwa kumthetho olandelwayo we-HTTP). Ngale ndlela, umhlaseli angenza ikhodi yakho yenziwe ngokuthumela izicelo eziklanywe ngokukhethekile ze-UPnP SUBSCRIBE ezinenombolo ethe xaxa kakhulu kunkambu yokuphinda ushaye.
- I-CVE-2021-35393: ukuba sengozini kuzishayeli ze- "WiFi Simple Config", okuzibonakalisa lapho usebenzisa umthetho olandelwayo we-SSDP (isebenzisa i-UDP nefomethi yesicelo efana ne-HTTP). Inkinga idalwa ukusetshenziswa kwe-buffer engu-512-byte engaguquki lapho kucutshungulwa ipharamitha ye- "ST: upnp" emilayezweni ye-M-SEARCH ethunyelwa amaklayenti ukuthola ukutholakala kwezinsizakalo kunethiwekhi.
- I-CVE-2021-35394: Kungukungcupheka kwinqubo ye-MP Daemon, enesibopho sokwenza imisebenzi yokuxilonga (i-ping, traceroute). Inkinga ivumela ukufakwa kwemiyalo yakho ngenxa yokuqinisekiswa okwanele kwezimpikiswano lapho usebenzisa izinsiza zangaphandle.
- I-CVE-2021-35395: uchungechunge lokukhubazeka kuma-interface wewebhu asuselwa kumaseva we-http / bin / webs kanye / bin / boa. Ubuthakathaka obujwayelekile bukhonjwe kuwo womabili amaseva, okubangelwa ukungabi bikho kokuqinisekiswa kokuphikisana ngaphambi kokwenza izinsiza zangaphandle kusetshenziswa umsebenzi wesistimu (). Umehluko wehlela ekusetshenzisweni kwama-API ahlukile kokuhlaselwa.
Bobabili abashayeli abafaki ukuvikelwa ekuhlaselweni yi-CSRF kanye nenqubo ye- "rebinding DNS", evumela izicelo ukuthi zithunyelwe kusuka kunethiwekhi yangaphandle ngenkathi ikhawulela ukufinyelela kusixhumi esibonakalayo kuphela kunethiwekhi yangaphakathi. Izinqubo ziphinde zasebenzisa i-akhawunti yomphathi / umphathi esichazwe ngaphambilini ngokuzenzakalela.
Ukulungiswa sekuvele kukhishwe kuRealtek "Luna" SDK isibuyekezo esingu-1.3.2a, kanye nezimagqabhagqabha zeRealtek "Jungle" SDK nazo ziyalungiselelwa ukukhishwa. Akukho ukulungiswa okuhleliwe kweRealtek SDK 2.x, njengoba ukunakekelwa kwaleli gatsha sekuvele kumisiwe. Ama-prototypes wokusebenzisa ahlinzekelwe bonke ubungozi, okubavumela ukuthi basebenzise ikhodi yabo kudivayisi.
Futhi, ukubonwa kokukhubazeka okuningana kwinqubo ye-UDPServer kuyabonwa. Njengoba kwenzekile, enye yezinkinga ibisivele itholwe abanye abacwaningi ngonyaka we-2015, kepha ayizange ilungiswe ngokuphelele. Inkinga idalwa ukungabi bikho kokuqinisekiswa okufanele kwezimpikiswano ezidluliselwe ekusebenzeni kwesistimu () futhi kungaxhashazwa ngokuthumela umugqa onjenge-'ff; ls 'kwinethiwekhi port 9034.
Umthombo: https://www.iot-inspector.com