Kutholwe ukuba sengozini okuningi ku-Realtek SDK

Darkcrizt

Imizuzu ye-4

Muva nje imininingwane ebalulekile ikhishwe ngobungozi obune ku izingxenye ze-Realtek SDK, esetshenziswa ngabakhiqizi bezinto ezahlukahlukene ezingenantambo ku-firmware yabo. Izingqinamba ezitholakele zivumela isihlaseli esingaqinisekisiwe ukuthi sisebenzise ikhodi ukude kudivayisi ephakeme.

Kulinganiselwa ukuthi izingqinamba zithinta okungenani amamodeli wedivayisi angama-200 avela kubathengisi abahlukahlukene abangama-65, kufaka phakathi amamodeli ahlukahlukene wama-routers angenantambo avela kumikhiqizo ye-Asus, A-Link, Beeline, Belkin, Buffalo, D-Link, Edison, Huawei, LG, Logitec, MT -Link, Netgear, Realtek, Smartlink, UPVEL, ZTE neZyxel.

Inkinga ifaka phakathi amakilasi ahlukahlukene wamadivayisi angenantambo we-RTL8xxx SoCKusuka kuma-routers angenantambo nakuma-Wi-Fi amplifiers kuya kumakhamera we-IP namadivayisi ahlakaniphile wokulawula ukukhanyisa.

Amadivayisi asuselwa kuma-chips we-RTL8xxx asebenzisa ukwakhiwa okubandakanya ukufakwa kwama-SoC amabili: owokuqala ufaka i-firmware yomkhiqizi we-Linux, bese owesibili eqhuba imvelo ehlukile yeLinux ehlukile ngokuqaliswa kwemisebenzi yendawo yokufinyelela. Isibalo semvelo yesibili sincike ezintweni ezijwayelekile ezinikezwe yiRealtek ku-SDK. Lezi zingxenye, phakathi kwezinye izinto, zicubungula idatha etholwe njengomphumela wokuthumela izicelo zangaphandle.

Ukuba sengozini thinta imikhiqizo esebenzisa i-Realtek SDK v2.x, Realtek "Jungle" SDK v3.0-3.4 neRealtek "Luna" SDK kuze kube yinguqulo 1.3.2.

Mayelana nengxenye yencazelo yobuthakathaka obukhonjiwe, kubalulekile ukuthi sisho ukuthi ababili bokuqala babelwa izinga lobunzima lika-8.1 kanti abanye, 9.8.

  • I-CVE-2021-35392: Ukugcwala kwebuffer kuzinqubo ze-mini_upnpd ne-wscd ezisebenzisa ukusebenza kwe- "WiFi Simple Config" (mini_upnpd iphatha i-SSDP namaphakethe e-wscd, ngaphandle kokusekela i-SSDP, iphatha izicelo ze-UPnP ngokususelwa kumthetho olandelwayo we-HTTP). Ngale ndlela, umhlaseli angenza ikhodi yakho yenziwe ngokuthumela izicelo eziklanywe ngokukhethekile ze-UPnP SUBSCRIBE ezinenombolo ethe xaxa kakhulu kunkambu yokuphinda ushaye.
  • I-CVE-2021-35393: ukuba sengozini kuzishayeli ze- "WiFi Simple Config", okuzibonakalisa lapho usebenzisa umthetho olandelwayo we-SSDP (isebenzisa i-UDP nefomethi yesicelo efana ne-HTTP). Inkinga idalwa ukusetshenziswa kwe-buffer engu-512-byte engaguquki lapho kucutshungulwa ipharamitha ye- "ST: upnp" emilayezweni ye-M-SEARCH ethunyelwa amaklayenti ukuthola ukutholakala kwezinsizakalo kunethiwekhi.
  • I-CVE-2021-35394: Kungukungcupheka kwinqubo ye-MP Daemon, enesibopho sokwenza imisebenzi yokuxilonga (i-ping, traceroute). Inkinga ivumela ukufakwa kwemiyalo yakho ngenxa yokuqinisekiswa okwanele kwezimpikiswano lapho usebenzisa izinsiza zangaphandle.
  • I-CVE-2021-35395: uchungechunge lokukhubazeka kuma-interface wewebhu asuselwa kumaseva we-http / bin / webs kanye / bin / boa. Ubuthakathaka obujwayelekile bukhonjwe kuwo womabili amaseva, okubangelwa ukungabi bikho kokuqinisekiswa kokuphikisana ngaphambi kokwenza izinsiza zangaphandle kusetshenziswa umsebenzi wesistimu (). Umehluko wehlela ekusetshenzisweni kwama-API ahlukile kokuhlaselwa.
    Bobabili abashayeli abafaki ukuvikelwa ekuhlaselweni yi-CSRF kanye nenqubo ye- "rebinding DNS", evumela izicelo ukuthi zithunyelwe kusuka kunethiwekhi yangaphandle ngenkathi ikhawulela ukufinyelela kusixhumi esibonakalayo kuphela kunethiwekhi yangaphakathi. Izinqubo ziphinde zasebenzisa i-akhawunti yomphathi / umphathi esichazwe ngaphambilini ngokuzenzakalela.

Ukulungiswa sekuvele kukhishwe kuRealtek "Luna" SDK isibuyekezo esingu-1.3.2a, kanye nezimagqabhagqabha zeRealtek "Jungle" SDK nazo ziyalungiselelwa ukukhishwa. Akukho ukulungiswa okuhleliwe kweRealtek SDK 2.x, njengoba ukunakekelwa kwaleli gatsha sekuvele kumisiwe. Ama-prototypes wokusebenzisa ahlinzekelwe bonke ubungozi, okubavumela ukuthi basebenzise ikhodi yabo kudivayisi.

Futhi, ukubonwa kokukhubazeka okuningana kwinqubo ye-UDPServer kuyabonwa. Njengoba kwenzekile, enye yezinkinga ibisivele itholwe abanye abacwaningi ngonyaka we-2015, kepha ayizange ilungiswe ngokuphelele. Inkinga idalwa ukungabi bikho kokuqinisekiswa okufanele kwezimpikiswano ezidluliselwe ekusebenzeni kwesistimu () futhi kungaxhashazwa ngokuthumela umugqa onjenge-'ff; ls 'kwinethiwekhi port 9034.

Umthombo: https://www.iot-inspector.com


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.