Kufooka (CVE-2023-6817) kwapezeka mu Netfilter subsystem, zomwe zingathandize wogwiritsa ntchito wakomweko kukulitsa mwayi wawo. Vutoli limayambitsidwa ndi kugwiritsa ntchito kosatha mu nf_tables module, komwe kumathandizira fyuluta ya nftables packet. Kufookaku kwakhalapo kuyambira kernel version 1.0. Linux 5.6. Kukonza vuto la kufooka kwaperekedwa pakuyesa kutulutsa kernel. Linux 6.7-rc5 ndipo yatumizidwa ku nthambi zokhazikika zomwe zilipo pano 5.10.204, 5.15.143, 6.1.68 ndi 6.6.7.
Vutoli limayamba chifukwa cha cholakwika mu ntchito ya nft_pipapo_walk, chifukwa chomwe kubwerezabwereza zinthu za PIPAPO (Pile Packet Policies) sikunayang'ane zobwereza, zomwe zidapangitsa kuti kukumbukira kumasulidwe kawiri. Kuwukiraku kumafuna mwayi wopeza ma nftables, omwe angapezeke pokhala ndi ufulu wa CAP_NET_ADMIN m'malo aliwonse ogwiritsira ntchito kapena malo ochezera a pa intaneti, omwe angaperekedwe, mwachitsanzo, muzotengera za sandbox. A prototype of exploit yasindikizidwa kuyesa machitidwe awo.
Source: opennet.ru
