Mu Netfilter, dongosolo la kernel LinuxChiwopsezo (CVE-2022-25636) chapezeka mu chida chosefera ndi kusintha ma packet a netiweki chomwe chimalola kugwiritsa ntchito ma code a kernel-level. Chitsanzo cha kugwiritsira ntchito kwalengezedwa chomwe chingalole wogwiritsa ntchito wakomweko kukulitsa mwayi wawo. Ubuntu 21.10 ndi njira yotetezera ya KASLR yotsekedwa. Vutoli lakhalapo kuyambira kernel 5.4. Pakadali pano pali kukonza komwe kulipo ngati chigamba (palibe zotulutsa zokonzanso za kernel zomwe zapangidwa). Mutha kutsatira zotulutsa zosintha za phukusi m'magawo patsamba lotsatirali: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Chiwopsezocho chimayamba chifukwa cha zolakwika pakuwerengera kukula kwa flow->rule->action.entries array mu nft_fwd_dup_netdev_offload ntchito (yotanthauziridwa mu fayilo net/netfilter/nf_dup_netdev.c), zomwe zingapangitse kuti data yoyendetsedwa ndi owukira ikhale zolembedwa kumalo okumbukira kupyola malire a buffer yoperekedwa. Cholakwikacho chikuwonekera pokonza malamulo a "dup" ndi "fwd" mumaketani omwe ma hardware mathamangitsidwe a paketi processing (offload) amagwiritsidwa ntchito. Popeza kusefukira kumachitika musanapange lamulo losefera paketi ndikuyang'ana chithandizo chotsitsa, chiwopsezocho chimagwiranso ntchito pazida zama network zomwe sizimathandizira kuthamangitsa kwa hardware, monga mawonekedwe a loopback.
Zimadziwika kuti vutoli ndi losavuta kugwiritsa ntchito, chifukwa zikhalidwe zomwe zimapitilira buffer zimatha kutsitsa cholozera ku net_device kapangidwe, ndipo zambiri zamtengo wolembedwa zimabwezeretsedwa ku malo ogwiritsa ntchito, zomwe zimakulolani kuti mudziwe maadiresi. kukumbukira zofunika kuchita kuukira. Kugwiritsa ntchito chiwopsezo kumafuna kukhazikitsidwa kwa malamulo ena mu nftables, zomwe zingatheke ndi mwayi wa CAP_NET_ADMIN, womwe ukhoza kupezedwa ndi wogwiritsa ntchito mopanda mwayi mu malo osiyana a intaneti. Chiwopsezocho chingagwiritsidwenso ntchito polimbana ndi makina odzipatula okha.
Source: opennet.ru
