Netfilter, subsystem nke Linux kernel eji enyocha ma gbanwee ngwugwu netwọkụ, nwere adịghị ike (CVE-2022-25636) nke na-enye ohere igbu koodu na ọkwa kernel. A mara ọkwa na akwadola ihe atụ nke nrigbu nke na-enye ndị ọrụ mpaghara ohere ibuli ikike ha na Ubuntu 21.10 site na iji usoro nchekwa KASLR nwere nkwarụ. Nsogbu a na-egosi malite na kernel 5.4. Ndozi ahụ ka dị ka patch (ewepụtabeghị kernel na-edozizi). Ị nwere ike iso mbipụta nke mmelite ngwugwu na nkesa na ibe ndị a: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
A na-akpata adịghị ike ahụ site na njehie na ịgbakọ nha nke eruba->rule-> action.entries array na nft_fwd_dup_netdev_offload ọrụ (akọwapụtara na faịlụ net/netfilter/nf_dup_netdev.c), nke nwere ike iduga na-achịkwa data nke onye na-awakpo. edere ya na mpaghara ebe nchekwa gafere oke nke ihe nchekwa ekenyela. Njehie ahụ na-apụta mgbe ị na-ahazi iwu "dup" na "fwd" n'agbụ nke ejiri ngwa ngwa nhazi ngwugwu (offload) mee ihe. Ebe ọ bụ na njupụta ahụ na-eme tupu ịmepụta iwu nzacha ngwugwu na ịlele nkwado nbudata, adịghị ike ahụ metụtakwara ngwaọrụ netwọkụ na-akwadoghị ngwangwa ngwaike, dị ka interface loopback.
A na-achọpụta na nsogbu ahụ dị nnọọ mfe iji, ebe ọ bụ na ụkpụrụ ndị na-agafe ihe nchekwa ahụ nwere ike idegharị pointer na usoro net_device, na data gbasara uru edere na-eweghachite na ohere onye ọrụ, nke na-enye gị ohere ịchọpụta adreesị. na ebe nchekwa dị mkpa iji mee ọgụ. Iji ihe adịghị ike na-achọ ka e mepụta ụfọdụ iwu na nftables, nke ga-ekwe omume naanị na ikike CAP_NET_ADMIN, nke onye ọrụ na-enweghị ohere nwere ike nweta na oghere aha netwọk dị iche. Enwere ike iji adịghị ike ahụ buso sistemụ kewapụrụ akpa ọgụ.
isi: opennet.ru