ProHoster > Блог > labaran intanet > Rashin lahani a cikin Linux da FreeBSD TCP tarin abubuwan da ke haifar da musun sabis na nesa

Rashin lahani a cikin Linux da FreeBSD TCP tarin abubuwan da ke haifar da musun sabis na nesa

Kamfanin Netflix bayyana da yawa masu mahimmanci rauni a cikin Linux da FreeBSD TCP stacks, waɗanda ke ba ku damar fara haɗarin kernel daga nesa ko haifar da yawan amfani da albarkatu yayin sarrafa fakitin TCP na musamman (fakitin mutuwa). Matsaloli sanadiyyar kurakurai a cikin masu sarrafa don matsakaicin girman toshe bayanai a cikin fakitin TCP (MSS, Matsakaicin girman yanki) da tsarin zaɓin yarda da haɗin gwiwa (SACK, TCP Selective Acknowledgment).

  • CVE-2019-11477 (SACK Panic) - matsala ce da ke bayyana a cikin kernels na Linux farawa daga 2.6.29 kuma yana ba ku damar haifar da firgita kwaya ta hanyar aika jerin fakitin SACK saboda cikar lamba a cikin mai sarrafa. Don kai hari, ya isa a saita ƙimar MSS don haɗin TCP zuwa 48 bytes (ƙananan iyaka yana saita girman sashi zuwa 8 bytes) kuma aika jerin fakitin SACK da aka shirya ta wata hanya.

    A matsayin matakan tsaro, zaku iya kashe sarrafa SACK (rubuta 0 zuwa /proc/sys/net/ipv4/tcp_sack) ko toshewa haɗi tare da ƙananan MSS (yana aiki kawai lokacin da aka saita sysctl net.ipv4.tcp_mtu_probing zuwa 0 kuma yana iya rushe wasu haɗin kai na al'ada tare da ƙananan MSS);

  • CVE-2019-11478 (Slowness SACK) - yana haifar da rushewar tsarin SACK (lokacin amfani da kwaya ta Linux ƙasa da 4.15) ko yawan amfani da albarkatu. Matsalar tana faruwa ne lokacin sarrafa fakitin SACK na musamman, waɗanda za a iya amfani da su don gutsuttsura layin sake aikawa (TCP retransmission). Ayyukan tsaro sun yi kama da raunin da ya gabata;
  • CVE-2019-5599 (Slowness SACK) - yana ba ku damar haifar da rarrabuwar taswirar fakitin da aka aika yayin aiwatar da jerin SACK na musamman a cikin haɗin TCP guda ɗaya kuma yana haifar da babban aikin ƙidayar albarkatu. Matsalar ta bayyana a cikin FreeBSD 12 tare da tsarin gano asarar fakitin RACK. A matsayin madaidaicin aiki, zaku iya kashe tsarin RACK;
  • CVE-2019-11479 - mai kai hari zai iya haifar da kernel Linux don raba martani zuwa sassan TCP da yawa, kowannensu yana dauke da 8 bytes na bayanai kawai, wanda zai iya haifar da karuwa mai yawa a cikin zirga-zirga, karuwar CPU da kuma toshe tashar sadarwa. Ana ba da shawarar azaman hanyar magance kariya. toshewa haɗi tare da ƙananan MSS.

    A cikin Linux kernel, an warware batutuwan a cikin sakewa 4.4.182, 4.9.182, 4.14.127, 4.19.52, da 5.1.11. Akwai gyara don FreeBSD kamar faci. A cikin rarrabawa, an riga an fitar da sabuntawa ga fakitin kwaya don Debian, RHEL, SUSE/budeSUSE. Gyara lokacin shiri Ubuntu, Fedora и Arch Linux.

    source: budenet.ru

    • Add a comment