Vaviri vaongorori (Mathy Vanhoef naEyal Ronen) vakafumura pane imwe nzira yekurwisa iyo yakatove yakanyorwa muCVE-2019-13377 iyo kukundikana uku inokanganisa waya dzisina waya uchishandisa WPA3 yekuchengetedza tekinoroji inokutendera iwe kuti uwane ruzivo nezve hunhu hwepassword iyo inogona kushandiswa kuisarudza mumhepo isingaite Dambudziko rinoratidzwa mune yazvino vhezheni yeHostapd.
Ava vaongorori zvakafanana vakaona kunetseka kunhanhatu muWPA3 mwedzi mishoma yapfuurakunyanya maererano neiyo SAE yekusimbisa mashandiro, inozivikanwawo seMukonikoni. Uku kurwisa kunotaridzika sekurwiswa kweduramazwi uye kubvumira anokumhan'arira kutora password nekushandisa zvisina kufanira padivi kana sekondari kuvuza.
Uyewo, yakaita huwandu hukuru hwekurwiswa pane dzakasiyana nzira dzinoumba iyo WPA3 protocol, senge duramazwi rinorwisa WPA3 painenge ichishandura nzira, cache-based microarchitecture divi kurwisa SAE Handshake uye vakatora mukana wekuratidza kuti inguva yakadzoserwa uye ruzivo rwe cache rwakashandiswa sei kuita "Password kupatsanura kurwisa" isingaenderane .
Izvi zvinobvumira mubati kudzoreredza password yakashandiswa neiye akabatwa.
Zvisinei, iyo ongororo yakaratidza kuti iko kushandiswa kweBrainpool kunotungamira mukuonekwa kwekirasi nyowani yekudonha pane yechitatu-bato chiteshi muChikonenga chinongedzo chinowiranisa algorithm inoshandiswa muWPA3, iyo inopa chengetedzo kubva kune password kufungidzira mune isingaite modhi.
Dambudziko rakatarwa rinoratidza izvo gadzira Dragonfly uye WPA3 kuita, Kubviswa pane kudonhedza dhata kuburikidza neyechitatu-bato nzira ibasa rakaoma zvakanyanya Izvo zvinoratidzawo kusapindirana kweyakavharwa-musuwo zviyero zvekuvandudza modhi pasina kuitisa hurukuro yeruzhinji yenzira dzakarongwa uye kuongorora kwenzanga.
Kana ECC Brainpool ichishandiswa pakunyora password, iyo Dragonfly algorithm inoita akati wandei ekutanga iterations ne password inowirirana nekukurumidza komputa pfupi hash usati waisa iyo elliptical curve. Kusvikira hashi pfupi yawanikwa, mashandiro anoitwa anoenderana zvakananga nekero yeMAC uye password.
Nezve kusagadzikana kutsva
Munguva yekumhanya inoenderana nenhamba yekudzokororwa uye kunonoka pakati pekushanda panguva yekutanga iterations inogona kuyerwa uye kushandiswa kuona mavara e password, iyo inogona kushandiswa isinga tsanangurike kujekesa sarudzo chaiyo yezvikamu zvepassword panguva yesarudzo yavo.
Kuti uite kurwisa, iwe unofanirwa kuve nekugona kune yemushandisi sisitimu yekubatanidza kune isina waya netiweki.
Uyewo, vaongorori vakaona kunetseka kwechipiri (CVE-2019-13456) inosangana neruzivo rwekuvuza mukuitwa kweEAP-pwd protocol uchishandisa iyo Dragonfly algorithm.
Dambudziko rakanangana neFreeRADIUS RADIUS server uye zvinoenderana neruzivo rwekudonha kuburikidza neyechitatu-bato nzira, pamwe nekutadza kwekutanga, zvinogona kurerutsa kusarudzwa kwepassword.
Mukubatana neyakavandudzwa nzira yekuona ruzha panguva yekunonoka kuyerwa, kuona huwandu hwenongedzo, zvinokwana kuita zviyero makumi manomwe neshanu kune imwe kero yeMAC.
Kurwiswa kunoguma kunoshanda uye kwakachipa. Semuenzaniso, kudzikisira kurwisa kunogona kushandiswa uchishandisa zviripo WPA2 zvekutsemura maturusi uye Hardware. Kurutivi rwechiteshi kunetsekana kunogona, semuenzaniso, kushungurudzwa kuita chisimba kurwisa uchishandisa maduramazwi makuru anozivikanwa nemari shoma se $ 1 pane Amazon EC2 zviitiko.
Maitiro ekuvandudza kuchengetedzeka kweprotocol yekuvhara nyaya dzakatowanikwa dzakatoverengerwa mukutarisa kwekuburitswa kwemangwana maWi-Fi zviyero (WPA 3.1) uye EAP-pwd.
Neraki, semhedzisiro yekutsvaga, ese ari maviri Wi-Fi standard uye EAP-pwd ari kuvandudzwa nechengetedzeka zvakanyanya protocol. Kunyangwe iyi yekuvandudza isiri kumashure-inoenderana neyezvino WPA3 kuitisa, inodzivirira mazhinji ekurwiswa kwedu.
mabviro: https://wpa3.mathyvanhoef.com