Netfilter, kagawo kakang'ono ka Linux kernel yomwe imagwiritsidwa ntchito kusefa ndikusintha mapaketi a netiweki, ili ndi chiwopsezo (CVE-2022-25636) chomwe chimalola kuphedwa kwa ma code pamlingo wa kernel. Zalengezedwa kuti chitsanzo cha chinyengo chakonzedwa chomwe chimalola wogwiritsa ntchito kwanuko kukweza mwayi wawo ku Ubuntu 21.10 ndi njira yoteteza ya KASLR yoyimitsidwa. Vuto likuwoneka kuyambira pa kernel 5.4. Kukonzekera kulipobe ngati chigamba (zowongolera zotulutsa kernel sizinapangidwe). Mutha kutsata zofalitsa zosintha pamaphukusi pamagawo awa: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Chiwopsezocho chimayamba chifukwa cha zolakwika pakuwerengera kukula kwa flow->rule->action.entries array mu nft_fwd_dup_netdev_offload ntchito (yotanthauziridwa mu fayilo net/netfilter/nf_dup_netdev.c), zomwe zingapangitse kuti data yoyendetsedwa ndi owukira ikhale zolembedwa kumalo okumbukira kupyola malire a buffer yoperekedwa. Cholakwikacho chikuwonekera pokonza malamulo a "dup" ndi "fwd" mumaketani omwe ma hardware mathamangitsidwe a paketi processing (offload) amagwiritsidwa ntchito. Popeza kusefukira kumachitika musanapange lamulo losefera paketi ndikuyang'ana chithandizo chotsitsa, chiwopsezocho chimagwiranso ntchito pazida zama network zomwe sizimathandizira kuthamangitsa kwa hardware, monga mawonekedwe a loopback.
Zimadziwika kuti vutoli ndi losavuta kugwiritsa ntchito, chifukwa zikhalidwe zomwe zimapitilira buffer zimatha kutsitsa cholozera ku net_device kapangidwe, ndipo zambiri zamtengo wolembedwa zimabwezeretsedwa ku malo ogwiritsa ntchito, zomwe zimakulolani kuti mudziwe maadiresi. kukumbukira zofunika kuchita kuukira. Kugwiritsa ntchito chiwopsezo kumafuna kukhazikitsidwa kwa malamulo ena mu nftables, zomwe zingatheke ndi mwayi wa CAP_NET_ADMIN, womwe ukhoza kupezedwa ndi wogwiritsa ntchito mopanda mwayi mu malo osiyana a intaneti. Chiwopsezocho chingagwiritsidwenso ntchito polimbana ndi makina odzipatula okha.
Source: opennet.ru