Mazuva mashoma apfuura nhau dzakaburitswa idzo muC akajairwa maraibhurari eClibc uye uClibc-ng, inoshandiswa mumidziyo yakawanda yakadzikwa uye inotakurika, kushaya simba kwaonekwa (ine CVE isati yapihwa), iyo inobvumira kutsiviwa kweiyo dummy data muDNS cache, iyo inogona kushandiswa kukanganisa IP kero yenzvimbo inopokana mucache uye inodzosera zvikumbiro kudura kune server yeanorwisa.
Nezve dambudziko rinotaurwa kuti izvi inobata akasiyana Linux firmware ye routers, nzvimbo dzekuwana uye IoT zvishandiso, pamwe nekumisikidzwa kweLinux kugovera seOpenWRT uye Embedded Gentoo.
Nezve kusagadzikana
Kunetseka imhaka yekushandiswa kwezviziviso zvekutengeserana zvinofanotaurwa mukodhi kutumira mibvunzo yeDNS. Iyo DNS yemubvunzo ID yakasarudzwa nekungowedzera iyo counter pasina imwe randomisation yenhamba dzechiteshi, izvo yakaita kuti zvikwanise kuisa chepfu iyo DNS cache nekungotumira UDP mapaketi ane mhinduro dzenhema (mhinduro ichagamuchirwa kana yasvika mhinduro kubva kuseva chaiyo uye inosanganisira chiziviso chaicho).
Kusiyana neiyo nzira yeKaminsky yakatsanangurwa muna 2008, hazvitombokodzeri kufungidzira ID yekutengeserana, nekuti inotariswa pakutanga (pakutanga, yakaiswa ku1, iyo inowedzera nechikumbiro chimwe nechimwe, uye haina kusarudzwa zvisina kurongeka).
Kuti uzvidzivirire zvinopesana nekufungidzira kweID, iyo yakatarwa inoenderera mberi ichikurudzira kushandiswa kwekugoverwa kwenhamba dzetiweki port kwekwakabva kunotumirwa mibvunzo yeDNS, iyo inotsiva kusakwana kweiyo ID.
Kana port randomization ichigoneswa, kugadzira dummy mhinduro, pamusoro pekusarudza 16-bit identifier, zvinodikanwawo kusarudza iyo network port nhamba. MuClibc uye uClibc-ng, kusarudzika kwakadaro hakuna kugoneswa zvakajeka (apo bind yakadanwa, isina kurongeka sosi UDP port haina kutaurwa) uye kuita kwayo kwaienderana neiyo inoshanda sisitimu kumisikidzwa.
Kana port randomization yakadzimwa, kuona kuti ndeipi id yekukumbira yekuwedzera inomakwa sebasa diki. Asi kunyangwe kana iri nyaya yerandomization, anorwisa anongoda kufungidzira network port kubva kurudzi 32768-60999, iyo yaanogona kushandisa yakakura panguva imwe chete kutumira dummy mhinduro pane akasiyana network ports.
Dambudziko yakasimbiswa mune ese azvino mavhezheni eClibc uye uClibc-ng, kusanganisira shanduro dzichangoburwa dzeuClibc 0.9.33.2 uye uClibc-ng 1.0.40.
"Zvakakosha kuziva kuti kusagadzikana kunobata raibhurari yeC yakajairwa kunogona kunge kwakaoma," timu yakanyora mune blog post svondo rino.
"Kwete chete paizove nemazana kana zviuru zvekufona kune vanotambura munzvimbo dzakawanda muchirongwa chimwe chete, asi kusagadzikana kwaizokanganisa huwandu husingaverengeki hwezvimwe zvirongwa zvevatengesi vakawanda zvakagadzirirwa kushandisa raibhurari iyoyo."
MunaGunyana 2021, ruzivo rwekusagadzikana rwakatumirwa kuCERT/CC yekugadzirira kwakarongeka. Muna Ndira 2022, dambudziko rakagoverwa nevagadziri vanopfuura mazana maviri yakabatana neCERT/CC.
Muna Kurume, pakave nekuyedza kubata zvakasiyana muchengeti weClibc-ng chirongwa, asi akapindura kuti haakwanise kugadzirisa kusagadzikana uye akakurudzira kuburitswa pachena kweruzivo nezve dambudziko, achitarisira kuwana rubatsiro kugadzira kugadzirisa. nharaunda. Kubva kuvagadziri, NETGEAR yakazivisa kuburitswa kwekuvandudza nekubviswa kwekusagadzikana.
Izvo zvakakosha kuti uzive kuti kusagadzikana kunokanganisa yakajairwa C raibhurari kunogona kunge kwakaoma. Kwete chete kwaizove nemazana kana zviuru zvekufona kune iyo isina njodzi basa panzvimbo dzakawanda muchirongwa chimwe chete, asi kusazvibata kwaizokanganisa huwandu husingaverengeki hwezvimwe zvirongwa kubva kune vakawanda vatengesi vakagadzirirwa kushandisa raibhurari iyoyo.
Zvinocherechedzwa kuti kusazvibata kunozviratidza mumidziyo kubva kune vakawanda vanogadzira (semuenzaniso, uClibc inoshandiswa mune firmware kubva Linksys, Netgear, uye Axis), asi sezvo njodzi inoramba isina kurongeka muClibc neClibc-ng, ruzivo rwakadzama nezvemidziyo uye yakananga. vagadziri mune izvo zvigadzirwa zvine dambudziko, kusvika zvaburitswa pachena.
Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.