ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > Kev siv qhov tsis zoo hauv nf_tables, watch_queue thiab IPsec tau raug txheeb xyuas hauv Linux kernel

Kev siv qhov tsis zoo hauv nf_tables, watch_queue thiab IPsec tau raug txheeb xyuas hauv Linux kernel

Ob peb qhov tsis txaus ntseeg tau raug txheeb xyuas hauv Linux ntsiav uas tso cai rau cov neeg siv hauv zos nce lawv cov cai hauv lub cev. Kev ua haujlwm prototypes ntawm exploits tau npaj rau txhua yam teeb meem raws li kev xav.

  • Qhov tsis zoo (CVE-2022-0995) nyob rau hauv watch_queue kev tshwm sim taug qab subsystem tso cai rau cov ntaub ntawv sau mus rau qhov tsis muaj qhov txwv tsis pub nyob hauv lub cim xeeb kernel. Qhov kev tawm tsam tuaj yeem ua tiav los ntawm txhua tus neeg siv tsis tau txais txiaj ntsig thiab ua rau lawv cov lej khiav nrog cov cai kernel. Qhov tsis muaj zog muaj nyob hauv watch_queue_set_size() muaj nuj nqi thiab cuam tshuam nrog kev sim tshem tawm txhua tus taw tes hauv ib daim ntawv, txawm tias tsis tau muab faib rau lawv. Qhov teeb meem tshwm sim thaum tsim cov ntsiav nrog "CONFIG_WATCH_QUEUE=y" kev xaiv, uas yog siv nyob rau hauv feem ntau Linux faib.

    Qhov tsis txaus ntseeg tau hais txog hauv kev hloov pauv hloov ntxiv rau lub Peb Hlis 11th. Koj tuaj yeem ua raws li cov ntawv tshaj tawm ntawm pob hloov tshiab hauv kev faib tawm ntawm nplooj ntawv no: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Tus qauv siv tau yog twb muaj nyob rau hauv pej xeem thiab tso cai rau koj kom tau txais hauv paus nkag thaum khiav ntawm Ubuntu 21.10 nrog kernel 5.13.0-37.

    Kev siv qhov tsis zoo hauv nf_tables, watch_queue thiab IPsec tau raug txheeb xyuas hauv Linux kernel

  • Vulnerability (CVE-2022-27666) hauv esp4 thiab esp6 kernel modules nrog kev siv ESP hloov pauv (Encapsulating Security Payload) rau IPsec, siv thaum siv IPv4 thiab IPv6. Qhov tsis zoo no tso cai rau tus neeg siv hauv zos nrog cov cai ib txwm muaj los sau cov khoom hauv lub cim xeeb kernel thiab nce lawv cov cai ntawm lub kaw lus. Qhov teeb meem yog tshwm sim los ntawm qhov tsis muaj kev sib haum xeeb ntawm kev faib lub cim xeeb loj thiab cov ntaub ntawv tiag tiag tau txais, muab tias cov lus tshaj plaws loj tuaj yeem tshaj qhov siab tshaj plaws nco me me faib rau cov qauv skb_page_frag_refill.

    Qhov tsis zoo tau raug kho nyob rau hauv cov ntsiav thaum Lub Peb Hlis 7 (tshem hauv 5.17, 5.16.15, thiab lwm yam). Koj tuaj yeem ua raws li cov ntawv tshaj tawm ntawm pob hloov tshiab hauv kev faib tawm ntawm nplooj ntawv no: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Ib tus qauv ua haujlwm ntawm kev siv dag zog, uas tso cai rau tus neeg siv zoo tib yam kom tau txais hauv paus nkag mus rau Ubuntu Desktop 21.10 hauv kev teeb tsa lub neej ntawd, twb tau tshaj tawm ntawm GitHub. Nws tau thov tias nrog kev hloov me me qhov kev siv nyiaj kuj tseem ua haujlwm ntawm Fedora thiab Debian. Nws yog ib qho tseem ceeb uas qhov kev siv tau yog thawj zaug tau npaj rau kev sib tw pwn2own 2022, tab sis cov neeg tsim khoom kernel tau txheeb xyuas thiab kho cov kab mob cuam tshuam nrog nws, yog li nws tau txiav txim siab nthuav tawm cov ntsiab lus ntawm qhov tsis zoo.

  • Ob qhov tsis zoo (CVE-2022-1015, CVE-2022-1016) hauv netfilter subsystem hauv nf_tables module, uas ua kom muaj kev ua haujlwm ntawm nftables pob ntawv lim. Thawj qhov teeb meem tso cai rau ib tus neeg siv tsis raug cai hauv zos kom ua tiav qhov kev tawm tsam sau mus rau ib qho kev faib tawm ntawm pawg. Ib qho dhau los tshwm sim thaum ua tiav nftables kab lus uas tau tsim nyob rau hauv ib txoj kev thiab tau ua tiav thaum lub sij hawm kuaj xyuas cov indexes teev los ntawm tus neeg siv uas tau nkag mus rau nftables cov cai.

    Qhov tsis zoo yog tshwm sim los ntawm qhov tseeb tias cov neeg tsim khoom tau hais tias tus nqi ntawm "enum nft_registers reg" yog ib qho byte, thaum qee qhov kev ua kom zoo tau qhib, lub compiler, raws li C89 specification, tuaj yeem siv tus nqi 32-ntsis rau nws. . Vim qhov no feature, qhov luaj li cas siv thaum kuaj xyuas thiab faib lub cim xeeb tsis sib haum rau qhov loj me ntawm cov ntaub ntawv hauv cov qauv, uas ua rau tus Tsov tus tw ntawm cov qauv raug overlapped nrog pointers ntawm pawg.

    Qhov teeb meem tuaj yeem raug siv los ua kom tiav cov lej ntawm qib ntsiav, tab sis kev ua tiav kev tawm tsam yuav tsum tau nkag mus rau nftables, uas tuaj yeem tau txais nyob rau hauv ib qho kev sib cais network namespace nrog CLONE_NEWUSER lossis CLONE_NEWNET txoj cai (piv txwv li, yog tias koj tuaj yeem khiav ib lub thawv cais). Qhov tsis zoo kuj tseem muaj feem cuam tshuam nrog kev ua kom zoo dua siv los ntawm cov compiler, uas, piv txwv li, tau qhib thaum tsim hauv "CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y" hom. Kev siv ntawm qhov tsis zoo tuaj yeem pib nrog Linux ntsiav 5.12.

    Qhov tsis zoo thib ob hauv netfilter yog tshwm sim los ntawm kev nkag mus rau thaj chaw nco tau tso tseg (siv-tom qab-dawb) hauv nft_do_chain handler thiab tuaj yeem ua rau muaj qhov tsis zoo ntawm thaj chaw ntawm lub ncov nco, uas tuaj yeem nyeem los ntawm kev siv nrog nftables kab lus thiab siv, Piv txwv li, los txiav txim qhov chaw nyob pointer thaum lub sij hawm kev loj hlob exploits rau lwm yam tsis zoo. Kev siv ntawm qhov tsis zoo tuaj yeem pib nrog Linux ntsiav 5.13.

    Cov vulnerabilities tau hais nyob rau niaj hnub no kernel thaj ua rau thaj 5.17.1, 5.16.18, 5.15.32, 5.10.109, 5.4.188, 4.19.237, 4.14.274, thiab 4.9.309. Koj tuaj yeem ua raws li cov ntawv tshaj tawm ntawm pob hloov tshiab hauv kev faib tawm ntawm nplooj ntawv no: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Tus kws tshawb fawb uas tau txheeb xyuas cov teeb meem tau tshaj tawm txog kev npaj ua haujlwm rau kev ua haujlwm rau ob qho tib si qhov tsis zoo, uas tau npaj yuav luam tawm ob peb hnub, tom qab kev faib tawm tshiab rau cov pob khoom.

Tau qhov twg los: opennet.ru

Ntxiv ib saib