Netfilter, kachitidwe kakang'ono ka Linux kernel yomwe imagwiritsidwa ntchito kusefa ndikusintha mapaketi a netiweki, ili ndi chiwopsezo (CVE sichinagawidwe) chomwe chimalola wogwiritsa ntchito wakomweko kuti apereke khodi pamlingo wa kernel ndikukweza mwayi wawo pamakina. Ofufuza awonetsa zachinyengo zomwe zimalola wogwiritsa ntchito m'deralo kupeza ufulu wa mizu mu Ubuntu 22.04 ndi 5.15.0-39-generic kernel. Poyambirira, chidziwitso chokhudzana ndi chiwopsezochi chidakonzedwa kuti chifalitsidwe pa Ogasiti 15, koma chifukwa chokopera kalata yokhala ndi chiwonetsero chazomwe zidachitika pamndandanda wamakalata apagulu, zoletsa pakuwulutsa zidziwitso zidachotsedwa.
Vutoli lakhala likuwonekera kuyambira 5.8 kernel ndipo limayambitsidwa ndi buffer kusefukira mu kachidindo yosamalira mindandanda yokhazikika mu gawo la nf_tables, zomwe zidachitika chifukwa chosowa macheke oyenera mu ntchito ya nft_set_elem_init. Vutoli lidayambitsidwa mukusintha komwe kudakulitsa malo osungiramo zinthu zamndandanda kukhala ma 128 byte.
Kuti muthe kuchita chiwembucho, kupeza ma nftables kumafunika, komwe kungapezeke m'malo osiyana siyana a netiweki ngati muli ndi CLONE_NEWUSER, CLONE_NEWNS kapena CLONE_NEWNET maufulu (mwachitsanzo, ngati mutha kuyendetsa chidebe chokha). Kukonza sikunapezekebe. Kuti mulepheretse kugwiritsa ntchito chiwopsezo pamakina okhazikika, muyenera kuwonetsetsa kuti mukulepheretsa kupanga mayina a ogwiritsa ntchito opanda mwayi ("sudo sysctl -w kernel.unprivileged_userns_clone=0").
Source: opennet.ru