Qualys tau txheeb xyuas qhov muaj kev pheej hmoo thib peb rau xyoo no (CVE-2022-3328) hauv snap-confine utility, uas los nrog SUID cov hauv paus chij thiab raug hu los ntawm cov txheej txheem snapd los tsim ib qho chaw ua haujlwm rau cov ntawv thov faib rau hauv cov pob khoom ntawm tus kheej. nyob rau hauv lub snap hom. Qhov tsis txaus ntseeg tso cai rau ib tus neeg siv tsis muaj cai hauv zos kom ua tiav cov lej ua tiav raws li cov hauv paus hauv lub neej ntawd Ubuntu teeb tsa. Qhov teeb meem yog kho nyob rau hauv snapd 2.57.6 tso tawm. Cov pob hloov tshiab tau raug tso tawm rau txhua ceg txhawb nqa ntawm Ubuntu.
Interestingly, qhov tsis zoo nyob rau hauv nqe lus nug tau qhia thaum lub sij hawm tus txheej txheem ntawm kev kho ib tug zoo xws li lub ob hlis ntuj vulnerability nyob rau hauv snap-confine. Cov kws tshawb fawb tuaj yeem npaj cov kev siv ua haujlwm uas muab cov hauv paus nkag mus rau Ubuntu Server 22.04, uas, ntxiv rau qhov tsis zoo hauv snap-confine, kuj tseem muaj ob qhov tsis zoo hauv cov txheej txheem multipathd (CVE-2022-41974, CVE-2022-41973) , cuam tshuam nrog kev hla txoj cai kuaj xyuas thaum kis tau tus kheej cov lus txib thiab ua haujlwm tsis zoo nrog cov cim txuas.
Qhov tsis zoo hauv snap-confine yog tshwm sim los ntawm kev sib tw hauv qhov must_mkdir_and_open_with_perms() muaj nuj nqi, ntxiv los tiv thaiv kev hloov pauv ntawm /tmp/snap.$ SNAP_NAME cov npe nrog cov cim txuas tom qab kuaj xyuas tus tswv, tab sis ua ntej hu rau mount system hu rau khi-mount directory rau hauv nws rau ib pob hauv snap hom. Qhov kev tiv thaiv ntxiv yog los hloov lub npe /tmp/snap.$SNAP_NAME directory rau lwm phau ntawv teev npe hauv /tmp nrog lub npe random yog tias nws muaj thiab tsis yog tus tswv hauv paus.
Thaum siv lub /tmp/snap.$SNAP_NAME directory rename lag luam, cov kws tshawb fawb tau coj kom zoo dua qhov tseeb tias snap-confine kuj tsim ib /tmp/snap.rootfs_XXXXXX directory rau lub hauv paus ntawm lub snap pob cov ntsiab lus. Qhov "XXXXXX" ib feem ntawm lub npe raug xaiv los ntawm mkdtemp(), tab sis ib pob npe hu ua "rootfs_XXXXXX" tuaj yeem siv tau hauv sc_instance_name_validate muaj nuj nqi (piv txwv li lub tswv yim yog tias $ SNAP_NAME yuav raug teeb tsa rau "rootfs_XXXXXX" thiab tom qab ntawd hloov npe ua haujlwm yuav ua rau overwrite lub /tmp/snap.rootfs_XXXXXX directory nrog lub hauv paus snap).
Txhawm rau kom ua tiav kev siv ib txhij ntawm /tmp/snap.rootfs_XXXXXX thiab renaming /tmp/snap.$SNAP_NAME, ob qho piv txwv ntawm snap-confine tau pib. Thaum thawj qhov piv txwv tsim /tmp/snap.rootfs_XXXXXX, cov txheej txheem yuav thaiv thiab ib qho thib ob piv txwv yuav pib nrog lub pob npe rootfs_XXXXXX, ua rau qhov thib ob piv txwv ib ntus directory /tmp/snap.$ SNAP_NAME los ua lub hauv paus directory /tmp/snap .rootfs_XXXXXX ntawm thawj. Tam sim ntawd tom qab lub rename tiav lawm, qhov thib ob piv txwv crashed, thiab /tmp/snap.rootfs_XXXXXX tau hloov nrog haiv neeg manipulation, raws li thaum exploiting lub ob hlis ntuj vulnerability. Tom qab kev hloov pauv, lub kaw lus kaw tau raug tshem tawm ntawm thawj qhov piv txwv thiab cov neeg tawm tsam tau txais kev tswj hwm tag nrho ntawm snap root directory.
Cov kauj ruam kawg yog los tsim ib lub symlink /tmp/snap.rootfs_XXXXXX/tmp, uas tau siv los ntawm sc_bootstrap_mount_namespace() ua haujlwm los khi-mount cov ntawv sau tau tiag tiag / tmp rau txhua phau ntawv hauv cov ntaub ntawv kaw lus, txij li mount() hu. ua raws symlinks ua ntej mounting. Xws li mounting yog thaiv los ntawm AppArmor txwv, tab sis kom hla qhov thaiv no, qhov kev siv tau siv ob qhov kev pab cuam tsis zoo nyob rau hauv multipathd.
Tau qhov twg los: opennet.ru