Achọpụtala ihe ọghọm (CVE-2021-4122) na ngwungwu Cryptsetup, nke eji ezobe akụkụ diski dị na Linux, nke na-enye ohere ka enwere nkwarụ izo ya ezo na akụkụ dị na usoro LUKS2 (Linux Unified Key Setup) site na imegharị metadata. Iji jiri adịghị ike ahụ eme ihe, onye mwakpo ahụ ga-enwerịrị ike ịnweta mgbasa ozi ezoro ezo, ya bụ. Usoro a nwere ezi uche tumadi maka ịwakpo ngwaọrụ nchekwa mpụga ezoro ezo, dị ka draịva Flash, nke onye mwakpo ahụ nwere ohere mana ọ maghị okwuntughe iji mebie data ahụ.
Mwakpo a na-adabara naanị maka usoro LUKS2 ma jikọta ya na njikwa metadata na-ahụ maka ịgbalite ndọtị nke "online reencryption", nke na-enye ohere, ma ọ bụrụ na ọ dị mkpa ịgbanwe igodo ohere, ịmalite usoro nke reencryption data na ofufe. na-akwụsịghị ọrụ na nkebi. Ebe ọ bụ na usoro nke decryption na izo ya ezo na igodo ọhụrụ na-ewe oge buru ibu, "njikwa ntanetị" na-eme ka o kwe omume ịghara ịkwụsị ọrụ na nkebi ahụ ma mee ntinyeghachi n'azụ azụ, jiri nwayọọ nwayọọ na-ezoghachi data site n'otu igodo gaa na nke ọzọ. . Ọ dịkwa ike ịhọrọ igodo ebumnuche efu, nke na-enye gị ohere ịmegharị ngalaba ahụ ka ọ bụrụ ụdị decrypted.
Onye na-awakpo nwere ike ime mgbanwe na LUKS2 metadata nke na-eme ka nkwụsị nke ọrụ decryption n'ihi ọdịda wee nweta decryption nke akụkụ nke akụkụ ahụ mgbe ọ gbalitechara na iji ụgbọala gbanwetụrụ site n'aka onye nwe ya. N'okwu a, onye ọrụ jikọtara draịva gbanwetụrụ wee jiri paswọọdụ ziri ezi kpọghee ya anaghị enweta ịdọ aka ná ntị ọ bụla gbasara usoro iweghachi ọrụ reencryption kwụsịrị ma nwee ike ịchọpụta naanị ọganihu nke ọrụ a site na iji "luks Dump" iwu. Ọnụ ego data onye mwakpo nwere ike decrypt dabere na nha nke nkụnye eji isi mee LUKS2, mana na nha ndabara (16 MiB) ọ nwere ike gafere 3 GB.
Ihe kpatara nsogbu a bụ na n'agbanyeghị na ntinyegharị ọzọ chọrọ ịgbakọ na nyochaa hashes nke igodo ọhụrụ na nke ochie, ọ dịghị mkpa ka hash malite ikpughe ma ọ bụrụ na steeti ọhụrụ ahụ na-egosi enweghị igodo ederede maka izo ya ezo. Na mgbakwunye, metadata LUKS2, nke na-akọwapụta algọridim nzuzo, anaghị echebe site na mgbanwe ma ọ bụrụ na ọ dabara n'aka onye mwakpo. Iji gbochie adịghị ike ahụ, ndị mmepe gbakwunyere nchebe ọzọ maka metadata na LUKS2, nke a na-enyocha hash ọzọ ugbu a, gbakọọ dabere na igodo ama ama na ọdịnaya metadata, ya bụ. onye na-awakpo enweghị ike ịgbanwe metadata n'ezoghị ọnụ na-amaghị okwuntughe decryption.
Ihe omume mwakpo a na-ahụkarị na-achọ ka onye mwakpo ahụ nwee ike ị nweta aka ha na draịva ọtụtụ oge. Nke mbụ, onye na-awakpo nke na-amaghị okwuntughe ohere na-eme mgbanwe na mpaghara metadata, na-akpalite decryption nke akụkụ nke data oge ọzọ na-arụ ọrụ ụgbọala. A na-eweghachi draịva ahụ n'ebe ya na onye mwakpo ahụ chere ruo mgbe onye ọrụ jikọtara ya site na itinye paswọọdụ. Mgbe onye ọrụ na-eme ka ngwaọrụ ahụ rụọ ọrụ, a na-amalite usoro ngbanwe ndabere ndabere, n'oge nke a na-eji data decrypted dochie akụkụ nke data ezoro ezo. Ọzọkwa, ọ bụrụ na onye mwakpo ahụ jisie ike nweta aka ya na ngwaọrụ ahụ ọzọ, ụfọdụ data dị na draịva ahụ ga-adị n'ụdị decrypted.
Achọpụtara nsogbu ahụ site na onye na-elekọta ọrụ cryptsetup ma dozie ya na cryptsetup 2.4.3 na 2.3.7 mmelite. Enwere ike ịchọta ọkwa nke mmelite a na-emepụta iji dozie nsogbu ahụ na nkesa na ibe ndị a: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch. Ọdịmma ahụ na-apụta naanị kemgbe ntọhapụ nke cryptsetup 2.2.0, bụ nke webatara nkwado maka ọrụ “njikwa ịntanetị”. Dị ka ebe nchekwa maka nchekwa, enwere ike iji nhọrọ "--disable-luks2-reencryption" malite.
isi: opennet.ru