An gano wani rauni (CVE-2022-42896) a cikin Linux kernel, wanda za a iya amfani da shi don tsara aiwatar da kisa mai nisa a matakin kwaya ta hanyar aika fakitin L2CAP na musamman ta Bluetooth. Bugu da ƙari, an gano wani irin wannan batu (CVE-2022-42895) a cikin mai kula da L2CAP, wanda zai iya haifar da zubar da abubuwan ƙwaƙwalwar kernel a cikin fakiti tare da bayanin sanyi. Rashin lahani na farko yana bayyana tun watan Agusta 2014 (kwayar kwaya 3.16), kuma na biyu tun Oktoba 2011 (kwaya 3.0). An magance raunin da ke cikin Linux kernel release 6.1.0, 6.0.8, 4.9.333, 4.14.299, 4.19.265, 5.4.224, 5.10.154, and 5.15.78. Kuna iya bin gyare-gyare a cikin rabawa akan shafuka masu zuwa: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.
Don nuna yuwuwar kai hari mai nisa, an buga abubuwan amfani da samfuri waɗanda ke aiki akan Ubuntu 22.04. Don kai hari, dole ne maharin ya kasance a cikin kewayon Bluetooth — ba a buƙatar pre-pairing, amma dole ne Bluetooth ta kasance tana aiki akan kwamfutar. Don harin, ya isa ya san adireshin MAC na na'urar wanda aka azabtar, wanda za'a iya ƙayyade ta hanyar shaka ko, a kan wasu na'urori, ƙididdiga bisa adireshin MAC na Wi-Fi.
Rashin lahani na farko (CVE-2022-42896) yana faruwa ne ta hanyar samun dama ga wurin ƙwaƙwalwar ajiya da aka riga aka saki (amfani-bayan kyauta) a cikin aiwatar da ayyukan l2cap_connect da l2cap_le_connect_req - bayan ƙirƙirar tashoshi ta hanyar sabon_connection callback, wani kulle ba a saita. don shi, amma an saita mai ƙidayar lokaci (__set_chan_timer ), bayan ƙarewar lokaci, kiran aikin l2cap_chan_timeout da share tashar ba tare da duba kammala aikin tare da tashar a cikin l2cap_le_connect * ayyuka ba.
Matsakaicin lokacin tsoho shine 40 seconds kuma an ɗauka cewa yanayin tsere ba zai iya faruwa tare da irin wannan jinkiri ba, amma ya zama cewa saboda wani kuskure a cikin mai sarrafa SMP, yana yiwuwa a cimma kiran nan take zuwa mai ƙidayar lokaci kuma a cimma nasara. yanayin tseren. Matsala a cikin l2cap_le_connect_req na iya haifar da zubar da ƙwaƙwalwar kernel, kuma a cikin l2cap_connect yana iya haifar da sake rubuta abubuwan da ke cikin ƙwaƙwalwar ajiya da aiwatar da lambar sa. Za a iya kai nau'in harin farko ta amfani da Bluetooth LE 4.0 (tun 2009), na biyu lokacin amfani da Bluetooth BR/EDR 5.2 (tun 2020).
Rashin lahani na biyu (CVE-2022-42895) yana haifar da raguwar ƙwaƙwalwar ajiya a cikin aikin l2cap_parse_conf_req, wanda za'a iya amfani da shi don samun bayanai daga nesa game da masu nuni zuwa tsarin kwaya ta hanyar aika buƙatun daidaitawa na musamman. Aikin l2cap_parse_conf_req ya yi amfani da tsarin l2cap_conf_efs, wanda ba a riga an fara ƙaddamar da ƙwaƙwalwar ajiyar da aka keɓe ba kuma ta hanyar sarrafa tutar FLAG_EFS_ENABLE yana yiwuwa a haɗa tsoffin bayanai daga tari a cikin fakitin. Matsalar tana bayyana ne kawai akan tsarin da aka gina kernel tare da zaɓi na CONFIG_BT_HS (an kashe shi ta tsohuwa, amma an kunna shi akan wasu rabawa, kamar Ubuntu). Hari mai nasara kuma yana buƙatar saita ma'aunin HCI_HS_ENABLED ta hanyar hanyar gudanarwa zuwa gaskiya (ba a yi amfani da shi ta tsohuwa ba).
source: budenet.ru