An gano yanayin rauni a cikin na'urorin sadarwar Zyxel

Darkcrizt

4 minti

'Yan kwanaki da suka gabatas gano wani yanayin rauni tsaro mai tsanani a cikin wuta, virtualofar hanyar sadarwar sirri mai zaman kanta da kuma masu kula da wuraren samun damar ta Zyxel Communications Corp.

Yana da cikakken bayani cewa a watan da ya gabata, masu binciken tsaro daga kamfanin kare yanar gizo na Dutch Idon Ido ya rubuta shari'ar kuma sun ambaci cewa rashin lafiyar na shafar sama da na'urori 100.000 da kamfanin ya samar.

Ularfafawa yana nuna cewa na'urori suna da administrativeofar baya na gudanarwa mai sauƙi wanda zai iya bawa maharan damar samun damar amfani da na'urori tare da SSH ko rukunin gudanarwa na yanar gizo.

Bai wa ɓoyayyen sunan mai amfani da kalmar sirri, masu fashin kwamfuta za su iya samun damar yin amfani da hanyoyin sadarwa ta amfani da na'urorin Zyxel.

"Wani zai iya, alal misali, canza saitin katangar don bayar da dama ko toshe wasu zirga-zirga," in ji mai binciken Kula da Ido Niels Teusink. "Hakanan suna iya katse zirga-zirga ko ƙirƙirar asusun VPN don samun damar shiga cibiyar sadarwar da ke bayan na'urar."

Rashin lafiyar yana ciki da jerin na'urorin ATP, USG, USG Flex, VPN da NXC daga Zyxel.

Duk da cewa ba sunan gidan bane, Zyxel kamfani ne na Taiwan wanda ke ƙera na'urorin sadarwar da aka fara amfani da su ta ƙananan ƙananan masana'antu.

A zahiri, kamfanin yana da jerin abubuwan ban mamaki masu ban mamaki na sabbin abubuwa: Shine kamfani na farko a duniya don ƙirar modem na analog / dijital ISDN, na farko da ƙofar ADSL2 +, kuma farkon wanda ya ba da katangar sirri ta sirri girman girman dabino na hannu, a tsakanin sauran nasarorin.

Duk da haka, wannan ba shine karo na farko da ake samun rauni a kan na'urorin Zyxel ba. Wani bincike da Fraunhofer Institute for Communication ya gabatar a watan Yuli mai suna Zyxel tare da AsusTek Computer Inc., Netgear Inc., D-Link Corp., Linksys, TP-Link Technologies Co. Ltd. da AVM Computersysteme Vertriebs GmbH kamar suna da matsayin tsaro. batutuwa.

A cewar wakilan kamfanin Zyxel, bayan gida ba sakamakon mummunan aiki bane daga maharan ɓangare na uku, misaliro aiki ne na yau da kullun da ake amfani dashi don sauke abubuwan sabuntawa ta atomatik firmware ta hanyar FTP.

Ya kamata a lura cewa predefined kalmar sirri ba rufaffen da masu binciken tsaro na Idon sun lura da hakan ta hanyar nazarin tsagaggen rubutun da ke cikin hoton firmware.

A cikin tushen mai amfani, an adana kalmar sirri azaman zato kuma an cire ƙarin asusun daga jerin masu amfani, amma ɗayan fayilolin aiwatarwa suna ƙunshe da kalmar sirri a cikin bayyananniyar rubutu Zyxel an sanar da matsalar a ƙarshen Nuwamba kuma an gyara ta sashi.

Zyxel's ATP (Advanced barazanar Barazana), USG (Unified Security Gateway), USG FLEX da VPN katangar wuta, da kuma NXC2500 da NXC5500 masu kula da wuraren samun damar.

Zyxel ya magance matsalar rauni, bisa ƙa'ida mai suna CVE-2020-29583, a cikin shawarwari kuma ya fito da facin gyara matsalar. A cikin sanarwar, kamfanin ya lura cewa asirin mai amfani "zyfwp" an tsara shi ne don isar da sabuntawar firmware ta atomatik zuwa wuraren samun damar da aka haɗa ta hanyar FTP.

An gyara batun Firewall a cikin sabunta firmware V4.60 Patch1 (An yi iƙirarin cewa kalmar wucewa ta asali ta bayyana ne kawai a cikin firmware V4.60 Patch0, kuma tsofaffin matakan firmware ba su da matsala, amma akwai sauran lahani a cikin tsofaffin firmware ta hanyar da za a iya kai hari kan na'urori ).

A cikin wuraren zafi, Za a haɗa gyaran a cikin sabuntawa na V6.10 Patch1 wanda aka shirya a watan Afrilu 2021. An shawarci duk masu amfani da na'urorin matsala da su hanzarta sabunta firmware ko kuma kusancin isa ga tashar jiragen ruwa ta hanyar sadarwa a matakin Firewall.

Matsalar ta ta'azzara ne saboda gaskiyar sabis ɗin VPN da haɗin yanar gizo don sarrafa na'urar ta hanyar karɓar haɗin haɗi a tashar tashar tashar ta 443 iri ɗaya, wanda shine dalilin da ya sa yawancin masu amfani suka bar 443 a buɗe don buƙatun waje kuma don haka ban da ƙarshen VPN, sun bar da ikon shiga cikin yanar gizo.

Dangane da ƙididdigar farko, fiye da na'urori 100 masu dauke da bangon baya da aka gano ana samun su akan hanyar sadarwa don haɗawa ta tashar jirgin ruwa ta 443.

An shawarci masu amfani da na'urorin Zyxel da abin ya shafa su girka abubuwan sabuntawa na firmware da suka dace don kariya mafi kyau.

Source: https://www.eyecontrol.nl


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.