Chiwopsezo (CVE-2021-4122) chadziwika mu phukusi la Crypsetup, lomwe limagwiritsidwa ntchito kubisa magawo a disk mu Linux, omwe amalola kuti kubisala kuzimitsidwa pamagawo a LUKS2 (Linux Unified Key Setup) posintha metadata. Kuti agwiritse ntchito chiwopsezocho, wowukirayo ayenera kukhala ndi mwayi wogwiritsa ntchito makanema obisika, i.e. Njirayi imakhala yomveka makamaka pakuwukira zida zosungidwa zakunja, monga ma Flash drive, pomwe wowukirayo amapeza koma sadziwa mawu achinsinsi kuti afotokozere deta.
Kuwukiraku kumangogwiritsidwa ntchito pamtundu wa LUKS2 ndipo kumalumikizidwa ndikusintha kwa metadata komwe kumayambitsa kukulitsa "reencryption yapaintaneti", yomwe imalola, ngati kuli kofunikira kusintha kiyi yofikira, kuyambitsa njira yolemberanso deta pa ntchentche. popanda kuyimitsa ntchito ndi kugawa. Popeza njira yosinthira ndi kubisa ndi kiyi yatsopano imatenga nthawi yayitali, "kubwerezanso pa intaneti" kumapangitsa kuti musasokoneze ntchito ndi magawowo ndikuchitanso kubisa kumbuyo, kubwereza pang'onopang'ono deta kuchokera ku kiyi imodzi kupita ku ina. . Ndizothekanso kusankha fungulo lopanda chandamale, lomwe limakulolani kuti musinthe gawolo kukhala mawonekedwe obisika.
Wowukira atha kusintha metadata ya LUKS2 yomwe imatengera kuchotsedwa kwa ntchitoyo chifukwa chakulephera ndikukwaniritsa kumasulira kwa gawo la magawowo atatsegula ndikugwiritsa ntchito galimoto yosinthidwa ndi eni ake. Pachifukwa ichi, wogwiritsa ntchito yemwe walumikiza galimoto yosinthidwa ndikuyitsegula ndi mawu achinsinsi olondola salandira chenjezo lililonse lokhudza kubwezeretsedwa kwa kubwezeretsedwa komwe kunasokonekera ndipo amatha kudziwa momwe ntchitoyi ikuyendera pogwiritsa ntchito "luks Dump" lamula. Kuchuluka kwa data yomwe wowukirayo atha kuyimitsa kumadalira kukula kwa mutu wa LUKS2, koma pakukula kosasintha (16 MiB) imatha kupitilira 3 GB.
Vutoli limayamba chifukwa chakuti ngakhale kubisanso kumafuna kuwerengera ndi kutsimikizira makiyi atsopano ndi akale, hashi sikufunika kuti ayambe kumasulira ngati dziko latsopanolo likutanthauza kusakhalapo kwa kiyi yolembera. Kuphatikiza apo, metadata ya LUKS2, yomwe imatchula algorithm ya encryption, siyitetezedwa kuti isasinthidwe ngati igwera m'manja mwa wowukira. Kuti aletse chiwopsezocho, okonzawo adawonjezera chitetezo chowonjezera cha metadata ku LUKS2, chomwe hashi yowonjezera tsopano ikuyang'aniridwa, yowerengedwa potengera makiyi odziwika ndi zomwe zili mu metadata, i.e. wowukira sangathenso kusintha mobisa metadata popanda kudziwa mawu achinsinsi.
Zomwe zimachitika kawirikawiri zimafuna kuti wowukirayo azitha kuyika manja awo pagalimoto kangapo. Choyamba, wowukira yemwe sadziwa mawu achinsinsi olowera amasintha malo a metadata, zomwe zimayambitsa kubisa kwa gawo la data nthawi ina ikadzatsegulidwa. Kuyendetsa kumabwezeretsedwa pamalo ake ndipo wowukirayo amadikirira mpaka wogwiritsa ntchitoyo alumikizane ndi kulowa mawu achinsinsi. Chidacho chikatsegulidwa ndi wogwiritsa ntchito, njira yosinthira kumbuyo imayambika, pomwe gawo la data losungidwa limasinthidwa ndi data yosungidwa. Kupitilira apo, ngati wowukirayo atha kuyikanso manja ake pa chipangizocho, zina mwazomwe zili pagalimotoyo zitha kukhala zosasinthika.
Vutoli lidadziwika ndi woyang'anira projekiti ya cryptsetup ndikukhazikika muzosintha za cryptsetup 2.4.3 ndi 2.3.7. Mkhalidwe wa zosintha zomwe zikupangidwira kukonza vutoli pakugawa zitha kutsatiridwa pamasamba awa: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch. Chiwopsezochi chikuwoneka kuyambira ndikutulutsidwa kwa cryptsetup 2.2.0, yomwe idayambitsa chithandizo cha "kubwerezanso pa intaneti". Monga njira yodzitetezera, kuyambitsa ndi "--disable-luks2-reencryption" njira ingagwiritsidwe ntchito.
Source: opennet.ru