A cikin zuciyar Linux An gano wata rauni (CVE-2022-42896) wadda za a iya amfani da ita wajen aiwatar da lambar matakin kernel daga nesa ta hanyar aika fakitin L2CAP da aka ƙera musamman ta Bluetooth. An kuma gano irin wannan matsala (CVE-2022-42895) a cikin mai sarrafa L2CAP, wanda zai iya haifar da ɓullar ƙwaƙwalwar kernel a cikin fakitin tsari. Rashin lafiya na farko ya kasance tun daga watan Agusta 2014 (kernel 3.16), kuma na biyu tun daga Oktoba 2011 (kernel 3.0). An gyara raunin a cikin sakin kernel. Linux 6.1.0, 6.0.8, 4.9.333, 4.14.299, 4.19.265, 5.4.224, 5.10.154, da 5.15.78. Kuna iya bin diddigin gyara a cikin rarrabawa akan shafuka masu zuwa: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.
Domin nuna yiwuwar kai hari daga nesa, an buga samfuran abubuwan da suka faru waɗanda ke aiki a cikin Ubuntu Afrilu 22.04. Domin kai harin, dole ne maharin ya kasance cikin kewayon Bluetooth - ba a buƙatar haɗawa kafin a fara ba, amma dole ne Bluetooth ya kasance yana aiki akan kwamfuta. Harin yana buƙatar sanin adireshin MAC na na'urar wanda aka kashe, wanda za'a iya tantancewa ta hanyar shaƙatawa ko, akan wasu na'urori, daga adireshin Wi-Fi MAC.
Rashin lahani na farko (CVE-2022-42896) yana faruwa ne ta hanyar samun dama ga wurin ƙwaƙwalwar ajiya da aka riga aka saki (amfani-bayan kyauta) a cikin aiwatar da ayyukan l2cap_connect da l2cap_le_connect_req - bayan ƙirƙirar tashoshi ta hanyar sabon_connection callback, wani kulle ba a saita. don shi, amma an saita mai ƙidayar lokaci (__set_chan_timer ), bayan ƙarewar lokaci, kiran aikin l2cap_chan_timeout da share tashar ba tare da duba kammala aikin tare da tashar a cikin l2cap_le_connect * ayyuka ba.
Matsakaicin lokacin tsoho shine 40 seconds kuma an ɗauka cewa yanayin tsere ba zai iya faruwa tare da irin wannan jinkiri ba, amma ya zama cewa saboda wani kuskure a cikin mai sarrafa SMP, yana yiwuwa a cimma kiran nan take zuwa mai ƙidayar lokaci kuma a cimma nasara. yanayin tseren. Matsala a cikin l2cap_le_connect_req na iya haifar da zubar da ƙwaƙwalwar kernel, kuma a cikin l2cap_connect yana iya haifar da sake rubuta abubuwan da ke cikin ƙwaƙwalwar ajiya da aiwatar da lambar sa. Za a iya kai nau'in harin farko ta amfani da Bluetooth LE 4.0 (tun 2009), na biyu lokacin amfani da Bluetooth BR/EDR 5.2 (tun 2020).
Rashin lafiyar ta biyu (CVE-2022-42895) yana faruwa ne sakamakon ɗigon ƙwaƙwalwar ajiya da ya rage a cikin aikin l2cap_parse_conf_req, wanda za'a iya amfani da shi daga nesa don samun bayanai game da nuni zuwa ga tsarin kernel ta hanyar aika buƙatun tsari na musamman. Aikin l2cap_parse_conf_req ya yi amfani da tsarin l2cap_conf_efs, wanda ba a fara ƙirƙirar ƙwaƙwalwar da aka ware ba tukuna, kuma ta hanyar sarrafa tutar FLAG_EFS_ENABLE, yana yiwuwa a haɗa tsoffin bayanai daga tarin a cikin fakitin. Matsalar tana faruwa ne kawai akan tsarin da aka haɗa kernel tare da zaɓin CONFIG_BT_HS (an kashe ta tsoho, amma an kunna shi a wasu rarrabawa, kamar Ubuntu) Hari mai nasara yana buƙatar saita sigar HCI_HS_ENABLED ta hanyar hanyar sarrafawa zuwa gaskiya (ba a yi amfani da ita ta tsohuwa ba).
source: budenet.ru
