Ofufuza ochokera ku Claroty ndi JFrog asindikiza zotsatira za kafukufuku wachitetezo cha phukusi la BusyBox, lomwe limagwiritsidwa ntchito kwambiri pazida zophatikizika ndikupereka zida zamtundu wa UNIX zomwe zimayikidwa mufayilo imodzi yokha. Pakujambula, zofooka za 14 zidadziwika, zomwe zakhazikitsidwa kale mu August kutulutsidwa kwa BusyBox 1.34. Pafupifupi mavuto onse ndi osavulaza komanso okayikitsa pakuwona momwe angagwiritsire ntchito pakuwukira kwenikweni, chifukwa amafunikira zida zogwiritsira ntchito ndi mikangano yolandiridwa kuchokera kunja.
Chiwopsezo chosiyana ndi CVE-2021-42374, chomwe chimakupatsani mwayi wokana ntchito mukakonza fayilo yokhazikika yopangidwa mwapadera ndi unlzma, komanso pakusonkhana ndi zosankha za CONFIG_FEATURE_SEAMLESS_LZMA, komanso ndi zigawo zina za BusyBox, kuphatikiza tar, unzip, rpm, dpkg, lzma ndi man .
Zowopsa za CVE-2021-42373, CVE-2021-42375, CVE-2021-42376 ndi CVE-2021-42377 zitha kuyambitsa kukana ntchito, koma zimafuna kuyendetsa munthu, phulusa ndi zida zoziziritsa kukhosi zomwe zili ndi magawo omwe akuwukirayo. Vulnerabilities CVE-2021-42378 to CVE-2021-42386 imakhudza awk utility ndipo imatha kupangitsa kupha ma code, koma chifukwa cha izi wowukirayo akuyenera kuwonetsetsa kuti mtundu wina wake ukuchitidwa mu awk (ndikofunikira kuthamanga awk ndi data yolandilidwa. kuchokera kwa wowukira).
Kuphatikiza apo, mutha kuzindikiranso chiwopsezo (CVE-2021-43523) m'ma library a uclibc ndi uclibc-ng, chifukwa choti mukalowa ntchito gethostbyname(), getaddrininfo(), gethostbyaddr() ndi getnameinfo(), the dzina lachidziwitso silinafufuzidwe ndipo dzina loyeretsedwa libwezeredwa ndi seva ya DNS. Mwachitsanzo, poyankha pempho linalake, seva ya DNS yoyendetsedwa ndi wowukira imatha kubweza makamu ngati βalert('xss').attacker.comβ ndipo adzabwezedwa osasinthidwa ku pulogalamu ina. kuti, popanda kuyeretsa akhoza kuwawonetsa pa intaneti. Vutoli lidakhazikitsidwa pakutulutsidwa kwa uclibc-ng 1.0.39 powonjezera kachidindo kuti muwone kulondola kwa mayina omwe adabwezedwa, omwe adakhazikitsidwa mofanana ndi Glibc.
Source: opennet.ru