I-ASUS Ixwayisa Amakhasimende Erutha: Pakisha Manje, Noma Vimba Zonke Izicelo Ezingenayo

U-ASUS ungumenzi owaziwayo wemikhiqizo ye-elekthronikhi edumile, kusukela kumalaptop namafoni kuya kumarutha asekhaya namakhadi ezithombe.

Kuleli sonto, inkampani ishicilelwe izibuyekezo ze-firmware yohlu olubanzi lwamarutha ayo asekhaya, kanye ne- isixwayiso esinamandla ukuthi uma ungazimisele noma ungakwazi ukubuyekeza i-firmware yakho njengamanje, udinga ukwenza lokhu:

[Khubaza] izinsiza ezifinyeleleka ohlangothini lwe-WAN ukuze ugweme ukungena okungaba okungafuneki. Lawa masevisi ahlanganisa ukufinyelela okukude kusuka ku-WAN, ukudlulisela ngembobo, i-DDNS, iseva ye-VPN, i-DMZ, i-port trigger.

Siqagela ukuthi i-ASUS ilindele ukuthi abahlaseli abangase basebenze bazixake bahlole amadivayisi aveziwe njengoba sekushicilelwe uhlu olude lokulungiswa kweziphazamisi.

(Kunjalo, abahlaseli abanolwazi kungenzeka bazi mayelana nezinye, eziningi, noma zonke lezi zimbobo vele, kodwa asikwazi ukuxhashazwa kosuku oluyiziro endle.)

Njengoba sike sasho ngaphambili kokuthi Naked Security, ukuxhaphaza kuvame ukuba lula kakhulu ukuthola ukuthi unamabhodi akutshela ukuthi ubheke kuphi...

…ngendlela efanayo yokuthi kushesha kakhulu futhi kulula kakhulu ukuthola inaliti esitakini sotshani uma othile ekutshela ukuthi ikuliphi ibhali ngaphambi kokuba uqale.

.s-inkinobho+.s-inkinobho { imajini-kwesokunxele: .3125rem; } .s-inkinobho { uguquko: wonke .15s umugqa; usayizi wefonti: .875rem; ubude bomugqa: 1.5; umbala: #f2f2f2; ifonti-umndeni: SophosSansMedium, Helvetica Neue, Helvetica, Arial, sans-serif; Isisindo sefonti: 400; isitayela sefonti: evamile; isibonisi: i-inline-block; i-padding: .3125rem 1.25rem; ikhesa: i-pointer; ukuqondanisa umbhalo: phakathi nendawo; umbhalo-ukuhlobisa: akukho; umngcele: 1px okuqinile #005bc8; Irediyasi yomngcele: 3px; umbala wangemuva: #005bc8; umbhalo-isithunzi: akukho; } .s-button:hover { text-decoration: none; umbala: #fff; umbala womngcele: #002d62; umbala wangemuva: #002d62; } .s-button–white, .s-button–white:hover { color: #005bc8 !okubalulekile; umbala womngcele: #fff; umbala wangemuva: #fff; } .s-ad-sophos-mdr {usayizi wefonti: 1rem; ubude bomugqa: 1.5; umbala: #242629; ifonti-umndeni: SophosSansRegular, Helvetica Neue, Helvetica, Arial, sans-serif; isisindo sefonti: 400; isitayela sefonti: evamile; isikhundla: isihlobo; ubukhulu bobubanzi: 769px; imajini: 15px auto; i-padding: 30px 30px 25px; inguquko: ibhokisi-isithunzi .25s cubic-bezier( .645, .045, .355, 1); ukuqondanisa umbhalo: phakathi nendawo; umbala wangemuva: #0d141d; ukuphindaphinda kwangemuva: akukho-phinda; indawo engemuva: 50%; usayizi wangemuva: ikhava; ibhokisi-ithunzi: 0 0 0 0 0 005 obala; umbala wangemuva: #8bc0; isithombe sangemuva: akukho; isizinda-isikhundla: 0 2; } .s-ad-sophos-mdr__title {usayizi wefonti: 1.125rem; ubude bomugqa: 4; imajini-phansi: 400px; umbala: #fff; } .s-ad-sophos-mdr__text { font-family: SophosSansLight, Helvetica Neue, Helvetica, Arial, sans-serif; Isisindo sefonti: 17; isitayela sefonti: evamile; usayizi wefonti: 15px; umbala: #fff; } .s-ad-sophos-mdr__action { imajini-phezulu: 0px; } .s-ad-sophos-mdr__action .s-button { color: #fff; } .s-ad-sophos-mdr__link-wrapper { text-decoration: none; } .s-ad-sophos-mdr__link-wrapper:hover .s-ad-sophos-mdr {box-shadow: 5 10px 0px 0 rgba( 0, 0, 15, .15 ); } .s-ad-sophos-mdr__sophos-logo { isikhundla: absolute; phezulu: 15px; kwesokudla: 64px; } .s-ad-sophos-mdr__sophos-logo-svg { display: inline-block; ububanzi: 11px; ubude: 64px; qondanisa mpo: phezulu; ukuphindaphinda kwangemuva: akukho-phinda; usayizi ongemuva: 11px 400px; } .s-ad-sophos-mdr__title { font-family: SophosSansSemibold, Helvetica Neue, Helvetica, Arial, sans-serif; Isisindo sefonti: 28; isitayela sefonti: evamile; usayizi wefonti: 700px; Isisindo sefonti: 1; ubude bomugqa: 10; imajini-phansi: 100px; qondanisa umbhalo: kwesokunxele; } .s-ad-sophos-mdr__title svg {max-width: 16%; } .s-ad-sophos-mdr__text {usayizi wefonti: 1.25px; ubude bomugqa: 20; qondanisa umbhalo: kwesokunxele; } .s-ad-sophos-mdr__action {ukuqondanisa umbhalo: kwesokudla; } .s-ad-sophos-mdr .s-inkinobho {irediyasi yomngcele: 769px; } @media (min-width:140px) { .s-ad-sophos-mdr__text { imajini-kwesokudla: 30px; } .s-ad-sophos-mdr__action { isikhundla: absolute; kwesokudla: 30px; phansi: 768px; } } @media (max-width:50px) { .s-ad-sophos-mdr {padding-top: 1.625px; } .s-ad-sophos-mdr__title {usayizi wefonti: 16rem; } .s-ad-sophos-mdr__text {usayizi wefonti: 30px; } .s-ad-sophos-mdr { padding-top: XNUMXpx; }}

Yenza njengoba sisho, hhayi njengoba senza.

Ngokucasulayo kumakhasimende e-ASUS, mhlawumbe, ubungozi obubili obunamachibi kade belinde ukupeyishwa isikhathi eside.

Zombili lezi zinomphumela we-9.8/10 “wengozi” kanye nesilinganiso esingu-CRITICAL e-US NVD, noma Isizindalwazi seNational Vulnerability Database (imibiko ichazwe yithi):

I-CVE-2022-26376. Ukonakala kwememori ekusebenzeni kwe-httpd unescape. Isicelo esenziwe ngokukhethekile se-HTTP singaholela ekonakaleni kwenkumbulo. Umhlaseli angathumela isicelo senethiwekhi ukuze acuphe lobu bungozi. (Amaphuzu ayisisekelo: 9.8 CRITICAL.)
I-CVE-2018-1160. I-Netatalk ngaphambi kwe-3.1.12 [ekhishwe ngo-2018-12-20] isengozini yokubhala ngaphandle kwemingcele. Lokhu kungenxa yokuntuleka kwemingcele ekuhloleni idatha elawulwa umhlaseli. Umhlaseli wesilawuli kude ongagunyaziwe angasebenzisa lobu bungozi ukuze afeze ukusetshenziswa kwekhodi ngokungafanele. (Amaphuzu ayisisekelo: 9.8 CRITICAL.)

Ukuchaza.

I-Netatalk iyingxenye yesofthiwe ehlinzeka ngosekelo lwenethiwekhi yesitayela se-Apple, kodwa lokhu akusho ukuthi umhlaseli uzodinga ukusebenzisa ikhompuyutha ye-Macintosh noma isofthiwe ye-Apple ukuze acuphe iphutha.

Eqinisweni, uma kubhekwa ukuthi ukuxhaphaza okuphumelelayo kungadinga idatha yenethiwekhi engalungile ngamabomu, isofthiwe esemthethweni yeklayenti le-Netatalk cishe ngeke yenze umsebenzi noma kunjalo, ngakho umhlaseli angasebenzisa ikhodi edalwe ngokwezifiso futhi angakwazi ukufaka ukuhlasela kunoma iyiphi isistimu yokusebenza kunoma iyiphi ikhompyutha. ngoxhumano lwenethiwekhi.

HTTP ukuphunyuka nokungaphunyuki iyadingeka noma nini lapho i-URL ihlanganisa uhlamvu lwedatha olungakwazi ukumelwa ngokuqondile embhalweni we-URL.

Isibonelo, ama-URL awakwazi ukuhlanganisa izikhala (ukuqinisekisa ukuthi ahlala akha ingxenye eyodwa, ehlangene yombhalo ophrintekayo), ngakho-ke uma ufuna ukubhekisela kugama lomsebenzisi noma ifayela eliqukethe isikhala, udinga Ukuphunyuka uhlamvu lwesikhala ngokuluguqulela kuphawu lwephesenti olulandelwa ikhodi yalo ye-ASCII nge-hexadecimal (0x20, noma 32 ngedesimali).

Ngokufanayo, ngenxa yokuthi lokhu kunikeza incazelo ekhethekile kumlingiswa wephesenti ngokwawo, nawo kufanele abhalwe njengophawu lwephesenti (%) ilandelwa ikhodi yayo ye-ASCII (0x25 ku-hex, noma 37 ngedesimali), njengoba kufanele ezinye izinhlamvu zisetshenziswe ngokuhlukile kuma-URL, njengekholoni (:), shaya (/), umbuzo (?) kanye ne-ampersand (&).

Uma itholwe iseva yewebhu (uhlelo olubizwa ngokuthi httpd kulwazi lwe-CVE olungenhla), noma yiziphi izinhlamvu eziphunyukile abangaphunyuki ngokuziguqula zisuke kumafomu azo anekhodi ephesenti ziye ezinhlamvini zombhalo wangempela.

Kungani i-ASUS ithathe isikhathi eside kangaka ukuchibiyela lezi ziphazamisi akushiwongo eselulekweni esisemthethweni senkampani, kodwa ukuphatha “amakhodi okuphunyuka” e-HTTP kuyingxenye ebalulekile yanoma iyiphi isofthiwe elalela futhi esebenzisa ama-URL ewebhu.

Ezinye iziphazamisi ezisohlwini lwe-CVE zichotshoziwe

I-CVE-2022-35401. Ukuqinisekisa ukudlula. Isicelo se-HTTP esakhiwe ngokukhethekile singaholela ekufinyeleleni okugcwele kokulawula kudivayisi. Umhlaseli uzodinga ukuthumela uchungechunge lwezicelo ze-HTTP ukuze asizakale lobu bungozi. (Amaphuzu ayisisekelo: 8.1 HIGH.)
I-CVE-2022-38105. Ukudalulwa kolwazi. Amaphakethe enethiwekhi aklanywe ngokukhethekile angaholela ekudalulweni kolwazi olubucayi. Umhlaseli angathumela isicelo senethiwekhi ukuze acuphe lobu bungozi. (Amaphuzu ayisisekelo: 7.5 HIGH.)
I-CVE-2022-38393. Ukunqatshelwa kwesevisi (DoS). Iphakethe lenethiwekhi elakhiwe ngokukhethekile lingaholela ekunqatshelweni kwesevisi. Umhlaseli angathumela iphakethe elinonya ukuze acuphe lobu bungozi. (Amaphuzu ayisisekelo: 7.5 HIGH.)
I-CVE-2022-46871. Izimbungulu ezingase zisebenziseke kumthombo ovulekile libusrsctp umtapo wolwazi. I-SCTP imele i-Stream Control Transmission Protocol. (Amaphuzu ayisisekelo: 8.8 HIGH.)
I-CVE-2023-28702. Izinhlamvu ezikhethekile ezingahlungiwe kuma-URL. Umhlaseli wesilawuli kude onamalungelo omsebenzisi ajwayelekile angasebenzisa lobu bungozi ukuze enze ukuhlasela komjovo ukuze akhiphe imiyalo yesistimu, aphazamise isistimu noma anqamule isevisi. (Amaphuzu ayisisekelo: 8.8 HIGH.)
I-CVE-2023-28703. Ibhafa iyachichima. Umhlaseli wesilawuli kude onamalungelo omlawuli angasebenzisa lobu bungozi ukuze akhiphe imiyalo yesistimu, aphazamise isistimu noma anqamule isevisi. (Amaphuzu ayisisekelo: 7.2 HIGH.)
I-CVE-2023-31195. Ukudunwa kweseshini. Amakhukhi azwelayo asetshenziswa ngaphandle kwe- Secure isethi yesibaluli. Umhlaseli angasebenzisa isixhumanisi sewebhu esingumgunyathi se-HTTP (esingabetheliwe) ukuze adube amathokheni okuqinisekisa okungafanele adluliselwe angabhaliwe. (AWUKHO SCORE.)

Mhlawumbe iphutha eliphawuleka kakhulu kulolu hlu I-CVE-2023-28702, ukuhlasela komjovo womyalo okuzwakala kufana ne Susa iziphazamisi lokho bekugcwele izindaba muva nje.

Njengoba sichazile ngemuva kwesiphazamisi se-MOVEit, ipharamitha yomyalo ethunyelwa nge-URL yewebhu, isibonelo isicelo esicela iseva ukuthi iqale ukukungena ngemvume njengomsebenzisi. DUCK, ayikwazi ukunikezwa ngokuqondile kumyalo wezinga lesistimu ngokukopisha ngobumpumputhe nangokwethembeka umbhalo ongahluziwe kusuka ku-URL.

Ngamanye amazwi, isicelo:

https://example.com/?user=DUCK

…ayikwazi ukumane iguqulwe ngenqubo eqondile “yokopisha-futhi-unamathisele” ibe umyalo wesistimu njengokuthi:

umhloli --name=DUCK

Uma kungenjalo, umhlaseli angazama ukungena ngokuthi:

https://example.com/?user=DUCK;halt

... bese ukhohlisa isistimu ukuthi isebenzise umyalo:

checkuser --name=DUCK;halt

…okufana nokukhipha imiyalo emibili ehlukene ngezansi, ngokulandelana:

checkuser --name=DUCK ukumiswa

…lapho umyalo osemugqeni wesibili uvala iseva yonke.

(I-semicolon isebenza njengesihlukanisi somyalo, hhayi njengengxenye yezimpikiswano zomugqa womyalo.)

Ukudunwa kweseshini

Esinye isiphazamisi esikhathazayo yinkinga yokudunwa kweseshini ebangelwa I-CVE-2023-31195.

Njengoba kungenzeka wazi, amaseva avame ukuphatha ukungena okusekelwe kuwebhu ngokuthumela lokho okubizwa ngekhukhi leseshini esipheqululini sakho ukuze asho ukuthi “noma ubani owazi le khukhi uthathwa njengomuntu ofanayo osanda kungena ngemvume”.

Inqobo nje uma iseva ingakuniki elinye lalawa makhukhi omlingo kuze kube yilapho usuzikhombile, isibonelo ngokwethula igama lomsebenzisi, iphasiwedi efanayo kanye nekhodi evumelekile ye-2FA, umhlaseli uzodinga ukwazi imininingwane yakho yokungena ukuze qinisekiswa njengawe kwasekuqaleni.

Futhi inqobo nje uma iseva noma isiphequluli sakho sike sithumele ngephutha ikhukhi eliwumlingo ngoxhumano lwe-HTTP okungelona i-TLS, olungabetheliwe, oludala oludala, umhlaseli ngeke akwazi kalula ukuyenga isiphequluli sakho kuseva yomkhohlisi esebenzisa i-HTTP esikhundleni salokho. ye-HTTPS, kanjalo nokufunda ikhukhi esicelweni sewebhu esamukelwe.

Khumbula ukuthi ukuyenga isiphequluli sakho esizindeni somgunyathi njenge https://example.com/ kulula uma kuqhathaniswa uma isigebengu singakhohlisa isiphequluli sakho okwesikhashana ukuthi sisebenzise inombolo ye-IP engalungile example.com isizinda.

Kodwa ukukuyenga https:/example.com/ kusho ukuthi umhlaseli kumele aqhamuke nesitifiketi sewebhu somgunyathi esikholekayo, ukuze anikeze ukuqinisekiswa kweseva okuwumgunyathi, okunzima kakhulu ukukwenza.

Ukuze uvimbele lolu hlobo lokuhlaselwa, amakhukhi angekho esidlangalaleni (kungaba ngezizathu zobumfihlo noma zokulawula ukufinyelela) kufanele alebulwe. Secure kunhlokweni ye-HTTP edluliswayo uma isethiwe, kanje:

I-Set-Cookie: AccessToken=ASC4JWLSMGUMV6TGMUCQQJYL; Kuvikelekile

…esikhundleni sokuthi:

I-Set-Cookie: AccessToken=ASC4JWLSMGUMV6TGMUCQQJYL

Okufanele ngikwenze?

Uma unomzila we-ASUS othintekayo (uhlu lu lapha), khipha ngokushesha ngangokunokwenzeka. Ukuthi i-ASUS ikushiye iminyaka ukuze ikutholele ama-patches akusho ukuthi ungathatha isikhathi eside uma uthanda ukuwasebenzisa, ikakhulukazi manje njengoba izimbungulu ezihilelekile ziyindaba yomphakathi.
Uma ungakwazi ukuchibiyela ngesikhathi esisodwa, vimba konke ukufinyelela kwangaphakathi kumzila wakho uze ukwazi ukusebenzisa isibuyekezo. Qaphela ukuthi ukuvimbela nje ukuxhumana kwe-HTTP noma kwe-HTTPS (ithrafikhi esekelwe kuwebhu) akwanele. I-ASUS ixwayisa ngokusobala ukuthi noma yiziphi izicelo zenethiwekhi ezingenayo zingase zihlukunyezwe, ngakho-ke ngisho nokudlulisela ngembobo (isb. okwemidlalo) nokufinyelela kwe-VPN kudinga ukuvinjwa ngokuqondile.
Uma ungumhleli, hlanza okokufaka kwakho (ukugwema iziphazamisi zokujova nokuchichima kwenkumbulo), ungalindi izinyanga noma iminyaka ukuze uthumele iziqephu zeziphazamisi ezinamagoli aphezulu kumakhasimende akho, futhi ubuyekeze izihloko zakho ze-HTTP ukuze uqinisekise ukuthi usebenzisa izinketho ezivikeleke kakhulu ngangokunokwenzeka. lapho ushintsha idatha ebalulekile njengamathokheni okuqinisekisa.

I-SEO Powered Content & PR Distribution. Khuliswa Namuhla.
Imali ye-EVM. I-Unified Interface Yezezimali Ezimisiwe. Finyelela Lapha.
I-Quantum Media Group. I-IR/PR Ikhulisiwe. Finyelela Lapha.
I-PlatoAiStream. I-Web3 Data Intelligence. Ulwazi Lukhulisiwe. Finyelela Lapha.
Source: https://nakedsecurity.sophos.com/2023/06/20/asus-warns-router-customers-patch-now-or-block-all-inbound-requests/

I-Generative Data Intelligence

I-ASUS ixwayisa amakhasimende erutha: Pakisha manje, noma vimba zonke izicelo ezingenayo

Yenza njengoba sisho, hhayi njengoba senza.

Ezinye iziphazamisi ezisohlwini lwe-CVE zichotshoziwe

Ukudunwa kweseshini

Okufanele ngikwenze?

Anticipating Scarcity: Bitcoin Cash (BCH) Price Skyrockets as Halving Event Nears Amidst Global Crypto Legislative Shifts and Fines

I-Bitcoin Cash (BCH) I-Rally Yamanani Ne-Halving Hype: Ukuhlaziywa Kwemakethe Okuphelele Phakathi KwamaShift Okulawula kanye Nokusungulwa Kwe-Blockchain

Latest Intelligence

I-Bitcoin Cash Eyes New Heights: Ukuhlola Ukukhuphuka Kwentengo ye-BCH, Imithetho Ye-Crypto yaseTurkey, kanye ne-Global Cryptocurrency Landscape

I-Cryptocurrency Roundup: I-Bitcoin Cash Halving Sparks Price Surge, Ukubuyekezwa Kwemithetho Yomhlaba Wonke, kanye Nokusungulwa Kwe-Fintech

I-Bitcoin Cash's Price Rallies With Half on Horizon, Phakathi Kokushintshashintsha Kwe-Global Crypto Regulatory kanye Nezinhlawulo Kwezezimali

I-Bitcoin Cash's Pre-Halving Rally kanye neCryptocurrency Landscape: Ukuzulazula Ukutshalwa Kwezimali, Ukulawulwa, kanye Nokusungula

I-Bitcoin Cash Price Rally kanye ne-Halving Hype: Ukuzulazula ku-Cryptocurrency Investment Landscape Amidst Global Regulatory Shifts kanye ne-Memecoin Mania

Ukusuka ku-Halving Hype kuya Ekucaciseni Ukuthobela: Ukuzulazula ku-Dynamic Landscape ye-Cryptocurrency kanye ne-Blockchain Innovation