ProHoster > Блог > labaran intanet > Binciken Tsaro na BusyBox Ya Bayyana Ƙananan Raunuka 14

Binciken Tsaro na BusyBox Ya Bayyana Ƙananan Raunuka 14

Masu bincike daga Claroty da JFrog sun buga sakamakon binciken tsaro na BusyBox, kunshin da aka yi amfani da shi sosai a cikin na'urori da aka saka wanda ke ba da saiti na daidaitattun kayan aikin UNIX da aka tattara a matsayin fayil guda ɗaya mai aiwatarwa. Binciken ya gano lahani 14 da aka riga aka gyara a cikin watan Agusta na BusyBox 1.34. Kusan dukkanin matsalolin ba su da lahani kuma suna da shakka daga ra'ayi na yin amfani da su a cikin hare-haren gaske, tun da suna buƙatar kayan aiki masu gudana tare da muhawarar da aka karɓa daga waje.

Na dabam, an keɓance raunin CVE-2021-42374, wanda ke ba ku damar haifar da ƙin sabis yayin sarrafa fayil ɗin da aka ƙera musamman tare da kayan aikin unlzma, kuma a cikin yanayin gini daga zaɓuɓɓukan CONFIG_FEATURE_SEAMLESS_LZMA, haka kuma ta kowane BusyBox. abubuwan da suka haɗa da tar, unzip, rpm, dpkg, lzma da mutum.

Lalacewar CVE-2021-42373, CVE-2021-42375, CVE-2021-42376, da CVE-2021-42377 na iya haifar da musun sabis, amma suna buƙatar mutum, ash, da kayan aiki na hush da za a gudanar da takamaiman sigogin maharan. . Rashin lahani daga CVE-2021-42378 zuwa CVE-2021-42386 yana shafar amfanin awk kuma yana iya yuwuwar haifar da aiwatar da code, amma saboda wannan maharin yana buƙatar yin wani tsari wanda ya aiwatar a cikin awk (ya zama dole a fara awk tare da bayanan da aka karɓa). daga maharin).

Bugu da ƙari, ana iya lura da raunin (CVE-2021-43523) a cikin ɗakunan karatu na uclibc da uclibc-ng, dangane da gaskiyar cewa lokacin samun damar samun sunan gethostbyname (), getaddrinfo (), gethostbyaddr () da getnameinfo () ayyuka, da Ba a bincika sunan yankin kuma ba a tsaftace shi ba. sunan da uwar garken DNS ya mayar. Misali, don amsa wani buƙatun warwarewa, uwar garken DNS wanda maharin ke sarrafawa zai iya dawo da rundunonin fom " alert(‘xss’) .attacker.com" kuma za a mayar da su ba canzawa zuwa wasu shirye-shiryen da za su iya nuna su a cikin yanar gizo ba tare da tsaftacewa ba. An daidaita batun a cikin sakin uclibc-ng 1.0.39 ta ƙara lamba don inganta sunayen yanki da aka dawo, kama da Glibc.

source: budenet.ru

Add a comment