umfaki-sicelo we-wpa 2.10 ufika esombulula ubuthathaka obuthile, ukudibanisa uphuculo nokunye

Darkcrizt

Imizuzu ye4

Emva konyaka onesiqingatha wophuhliso, i-hostapd/wpa_supplicant 2.10 ikhutshiwe, indawo yokuxhasa i IEEE 802.1X, WPA, WPA2, WPA3 kunye neeprothokholi ezingenazingcingo ze-EAP, equka i-wpa_supplicant yesicelo sokuqhagamshela kwinethiwekhi engenazingcingo njengomthengi kunye nenkqubo yangasemva ye-hostapd ukunika indawo yofikelelo kunye nomncedisi wokuqinisekisa oquka amacandelo afana ne-WPA Authenticator, i-RADIUS yokuqinisekisa umxhasi/umncedisi, i-EAP yomncedisi.

Ukongeza kwiinguqu zokusebenza, inguqulelo entsha ivimba i-vector entsha yohlaselo ngokusebenzisa amajelo omntu wesithathu, echaphazela i-SAE (iSimultaneous Authentication of Equals) indlela yoqhagamshelwano yoqhagamshelwano kunye ne-EAP-pwd protocol.

Kwaye ukuba sesichengeni kusonjululwe kuvunyelwe a umhlaseli onamandla okwenza ikhowudi engafanelekanga kwinkqubo yomsebenzisi eqhagamshela kwinethiwekhi engenazingcingo inokufumana ulwazi malunga neempawu zegama lokugqitha ngokubeka iliso kumsebenzi wesixokelelwano kwaye uyisebenzise ukwenza lula ukuqikelela igama lokugqitha ngaphandle kweintanethi.

Ingxaki ibangelwa kukuvuza kolwazi malunga neempawu zegama lokugqitha ngokusebenzisa amajelo omntu wesithathu, evumela, ukusebenzisa idatha engathanga ngqo, njengokutshintsha kokulibaziseka ngexesha lokusebenza, ukucacisa ukuchaneka kokukhethwa kweengxenye zephasiwedi kwinkqubo yokukhethwa kwayo.

Ngokungafaniyo nemiba efanayo eyathi yalungiswa ngo-2019, Ubuthathaka obutsha kungenxa yokuba i-cryptographic primitives yangaphandle isetyenziswe kumsebenzi crypto_ec_point_solve_and_coord () ayizange inikeze ixesha lokusebenza rhoqo, kungakhathaliseki uhlobo lwedatha ecutshungulwayo.

Ngokusekwe kuhlalutyo lwendlela yokuziphatha ye-cache yeprosesa, umhlaseli okwaziyo ukwenza ikhowudi engafanelekanga kumbindi womqhubekekisi ofanayo unokufumana ulwazi malunga nenkqubela phambili yokusebenza kwegama lokugqitha kwi-SAE/EAP-pwd. Zonke iinguqulelo ze-wpa_supplicant kunye ne-hostapd eyakhelwe ngenkxaso ye-SAE (CONFIG_SAE=y) kunye ne-EAP-pwd (CONFIG_EAP_PWD=y) ziyachaphazeleka.

Ngokuphathelele Olunye utshintsho oluthe lwaphunyezwa kwinguqulelo entsha wongeze ukukwazi ukuqokelela kunye nethala leencwadi le-cryptographic le-OpenSSL 3.0.

Inkqubo ye- Indlela yoKhuseleko lweBeacon ecetywayo kuhlaziyo yeenkcukacha ze-WPA3, eyilelwe ukukhusela kuhlaselo olusebenzayo kuthungelwano olungenazingcingo olusebenzisa utshintsho lwesakhelo seBeacon.

Singayifumana loo nto inkxaso eyongeziweyo kwi-DPP 2 (iProtokholi yoBonelelo lweSixhobo seWi-Fi), leyo ichaza indlela yoqinisekiso lwesitshixo sikawonke-wonke esetyenziswa kumgangatho weWPA3 ukulungelelanisa uqwalaselo lwesixhobo esilula ngaphandle kojongano lwesikrini. Ulungelelwaniso lwenziwa kusetyenziswa esinye, isixhobo esiphucuke ngakumbi esele siqhagamshelwe kwinethiwekhi engenazingcingo.

Ngaphandle kwayo inkxaso eyongeziweyo ye-TLS 1.3 kuphunyezo lwe-EAP-TLS (ivaliwe ngokungagqibekanga).

Useto olutsha olongeziweyo (max_auth_rounds, max_auth_rounds_short) ukutshintsha imida kwinani lemiyalezo ye-EAP kwinkqubo yoqinisekiso (imida ingadinga ukutshintshwa xa kusetyenziswa izatifikethi ezinkulu kakhulu).

Ukuhambelana ne I-WEP iyasuswa kulwakhiwo ngokungagqibekanga (ukwakha kwakhona ngeCONFIG_WEP=y ukhetho luyafuneka ukubuyisela inkxaso ye-WEP.) Kususwe ukusebenza okuyekisiweyo okunxulumene ne-IAPP (iProtokholi yeNdawo yokuFikelela). Isusiwe inkxaso ye-libnl 1.1. Inketho yokwakha eyongeziweyo CONFIG_NO_TKIP=y ukwakha ngaphandle kwenkxaso ye-TKIP.

Ubuthathaka ekuphunyezweni kwe-UPnP bulungisiwe (CVE-2020-12695), kwi-P2P/Wi-Fi Direct umqhubi (CVE-2021-27803) nakwindlela yokhuseleko ye-PMF (CVE-2019-16275).

Utshintsho oluthile kwi-Hostapd lubandakanya ukwandiswa kwenkxaso ye-HEW (i-High-Efficiency Wireless, i-IEEE 802.11ax) iinethiwekhi ezingenazintambo, kuquka ukukwazi ukusebenzisa i-6 GHz band frequency.

Ye- Olunye utshintsho ezibalaseleyo:

  • Inkxaso eyongeziweyo ye-ID ye-ID eyongezelelweyo (IEEE 802.11-2016).
  • Inkxaso yendlela yokhuseleko ye-SAE-PK (i-SAE Public Key) yongezwa ekuphunyezweni kwendlela yothethathethwano loqhagamshelwano lwe-SAE.
  • Imowudi yokutyhala ekhawulezileyo iphunyeziwe, yenziwe ngo "sae_config_immediate=1" ukhetho, kunye ne-hash-to-element mechanism, yenziwe xa iparamitha ye-sae_pwe imiselwe ku-1 okanye ku-2.
  • Inkxaso eyongeziweyo ye-PASN (i-Pre-Association Security Negotiation) indlela yokuseka uxhulumaniso olukhuselekileyo kunye nokukhusela utshintshiselwano lwezakhelo zolawulo kwinqanaba lokuqala loqhagamshelwano.
  • Inkqubo yokukhubaza inguqu iphunyeziwe, ekuvumela ukuba ukhubaze ngokuzenzekelayo imo yokuzulazula, ikuvumela ukuba utshintshe phakathi kweendawo zofikelelo njengoko uhamba, ukuphucula ukhuseleko.

Gqibela ukuba unomdla wokwazi okungakumbi ngayo, ungazijonga iinkcukacha kwi ukulandela ikhonkco.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.