Umcwaningi wezokuphepha uthole isamba sobungozi obuyi-11 obubucayi kuzibuyekezo zakamuva ze-firmware zamarutha e-Netgear Nighthawk. Ubungozi bubhalwe ngabakwaNetgear. Isibonelo, ama-routers agcina amagama abasebenzisi namagama ayimfihlo embhalweni osobala.
Ubungozi obatholwa umcwaningi uJimi Sebree wenkampani yonogada iTenable buseNighthawk R6700v3 AC1750-inguqulo ye-firmware 1.0.4.120 naku-Nighthawk RAX43, inguqulo ye-firmware 1.0.3.96. Ubungozi buyahlukahluka, kepha bonke bubucayi ekugxekeni ngokusho komcwaningi, futhi ngaphezu kwalokho akubona bonke abafakwe nezichibiyelo ngabakwaNetgear.
Ukuba sengozini okubaluleke kakhulu kubhaliswe njenge-CVE-2021-45077 ye-RS6700 kanye ne-CVE-2021-1771 ye-RAX43. Amarutha agcina amagama omsebenzisi namagama ayimfihlo edivayisi futhi ahlinzeke ngamasevisi ngombhalo osobala kumarutha, futhi nephasiwedi yomqondisi ibhalwe ngokungacacile kufayela eliyisisekelo lokucushwa lomzila, U-Sebree ubhala kusizindalwazi sakhe.
Ngaphezu kwalokho, kunobungozi bokuthi lawo magama omsebenzisi namagama ayimfihlo azovinjwa. Ku-RS6700v3, ngoba ama-routers ukusetshenziswa okujwayelekile kwe-HTTPfuthi, esikhundleni se-Https, kukho konke ukuxhumana nesixhumi esibonakalayo sewebhu. Futhi i-SOAP interface, ku-port 5000, isebenzisa i-HTTP ukuxhumana, okuvumela amagama ayimfihlo namagama omsebenzisi ukuthi abanjwe.
I-SOAP interface
Ngaphezu kwalokho, i-router isengozini yokulawulwa umjovo nge iphutha lomjovo womyalo wangemuva kokuqinisekisa ku-software yokuvuselela idivayisi. Ukucupha ukuhlola kwesibuyekezo ngoxhumano lwe-SOAP kushiya idivayisi isengozini yokuthathwa ngamavelu alungiselelwe kusengaphambili. Futhi, ikhonsoli ye-UART ivikelwe ngokunganele, okuvumela noma ubani onokufinyelela ngokomzimba kudivayisi ngembobo ye-UART ukuthi axhume futhi enze imisebenzi njengomsebenzisi wempande ngaphandle kokuqinisekisa.
Futhi, i-router isebenzisa izifakazo ezinekhodi eqinile kuzilungiselelo ezithile, ukuze umsebenzisi angakwazi ukulungisa izilungiselelo ezithile zokuphepha. Lezi zibethelwe, kodwa ngokusho kwabacwaningi kulula ukuyithola ngamathuluzi atholakala esidlangalaleni, okuvumela izilungiselelo ukuthi zilungiswe yinoma ubani onokufinyelela kumzila. Ngaphezu kwalokho, i-router isebenzisa ubungozi obuningi obaziwayo kumitapo yolwazi ye-jQuery naku-minidlna.exe, kuyilapho izinguqulo zakamuva zitholakala.
INetgear Nighthawk R6700
Ukuba sengozini ku-RS6700 kunesilinganiso se-CVE esingu-7.1 esikalini sika-1 ukuya ku-10. Lokho kubucayi, kodwa akukona ukugxeka. Isizathu esiyinhloko ukuthi umhlaseli kufanele abe nokufinyelela ngokomzimba kumzila ukuze asebenzise ubungozi. Ngaphezu kwalokho, ukuxhaphaza ubungozi kusixhumi esibonakalayo se-SOAP kungenzeka kuphela uma umhlaseli esengenile. Ukuba sengozini kwe-RAX43 kunamaphuzu angu-8.8 kwangu-10.
I-RAX43 futhi isebenzisa i-HTTP ngokuzenzakalelayo, kubhala uSebree, futhi isebenzisa imitapo yolwazi ye-jQuery efanayo nenguqulo esengozini ye-minidlna.exe. Ngaphezu kwalokho, i-firmware ye-RAX43 inobungozi obubangelwa izimbungulu ezimbili. Eyokuqala iwukuba sengcupheni kwe-buffer overrun, eyesibili ukuba sengozini komjovo womyalo. Ukuhlanganisa lokhu kokubili kuvumela umuntu ukuthi enze imisebenzi ekude njengempande, ngaphandle kokuqinisekisa.
I-Netgear Nighthawk RAX43
USebree ubhala ukuthi uTenable wazise abakwaNetgear ngobungozi ngoSepthemba 30. Nakuba abakwaNetgear baqale baphendula embikweni wobungozi ekuqaleni kuka-Okthoba, kuthathe isikhathi eside ngaphambi kokuthi kwenziwe noma yini ngakho. Disemba 29, Netgear beka isexwayiso ngobungozi ku-inthanethi. Kukhona futhi manje izibuyekezo ze-firmware kokubili Ama-routers afakwe ku-inthanethi. U-Sebree unqume ngoDisemba 30 ukudalula ubungozi ngaphansi kwesibhaxu sokudalula okunomthwalo wemfanelo, noma ngabe abakwaNetgear bebengakaphusheli ngokuqhubekayo izibuyekezo ze-firmware kubasebenzisi.
I-Nighthawk RS6700 iwuchungechunge lwamarutha ahloselwe kakhulu ukusetshenziswa kwasekhaya. Isohlwini lwe-AC1750 Smart WiFi Router ku-Pricewatch, futhi ibilokhu itholakala kusukela ngoJulayi 31, 2019. Ubungozi buse inguqulo yesithathu yomzila. I-RAX43 ibilokhu itholakala kusukela ngoDisemba 30, 2020.