Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Zowopsa zomwe zingagwiritsidwe ntchito mu nf_tables, watch_queue ndi IPsec zadziwika mu Linux kernel.

Zowopsa zomwe zingagwiritsidwe ntchito mu nf_tables, watch_queue ndi IPsec zadziwika mu Linux kernel.

Zowopsa zingapo zowopsa zadziwika mu kernel ya Linux zomwe zimalola wogwiritsa ntchito wakomweko kuwonjezera mwayi wawo pamakina. Ma prototypes ogwira ntchito akonzedwa pamavuto onse omwe akuganiziridwa.

  • Chiwopsezo (CVE-2022-0995) mu watch_queue chochitika cholondolera zochitika zimalola kuti deta ilembedwe ku buffer yakunja kwa kernel memory. Kuwukiraku kumatha kuchitidwa ndi wogwiritsa ntchito aliyense wopanda mwayi ndikupangitsa kuti code yawo ikhale ndi ufulu wa kernel. Chiwopsezocho chilipo pa watch_queue_set_size() ntchito ndipo chimalumikizidwa ndi kuyesa kuchotsa zolozera zonse pamndandanda, ngakhale kukumbukira sikunapatsidwe kwa iwo. Vuto limachitika pomanga kernel ndi njira ya "CONFIG_WATCH_QUEUE=y", yomwe imagwiritsidwa ntchito pamagawidwe ambiri a Linux.

    Chiwopsezochi chidayankhidwa pakusintha kwa kernel komwe kudawonjezedwa pa Marichi 11. Mutha kutsata zofalitsa zosintha pamaphukusi pamagawo awa: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Chitsanzo cha exploit chilipo kale pagulu ndipo chimakupatsani mwayi wopeza mizu mukamayenda pa Ubuntu 21.10 ndi kernel 5.13.0-37.

    Zowopsa zomwe zingagwiritsidwe ntchito mu nf_tables, watch_queue ndi IPsec zadziwika mu Linux kernel.

  • Vulnerability (CVE-2022-27666) mu ma module a esp4 ndi esp6 kernel ndikukhazikitsa kusintha kwa ESP (Encapsulating Security Payload) kwa IPsec, yomwe imagwiritsidwa ntchito mukamagwiritsa ntchito IPv4 ndi IPv6. Chiwopsezochi chimalola wogwiritsa ntchito wamba omwe ali ndi mwayi wabwinobwino kulemba zinthu zomwe zili mu kernel memory ndikuwonjezera mwayi wawo pamakina. Vutoli limayamba chifukwa cha kusowa kwa chiyanjanitso pakati pa kukula kwa kukumbukira komwe kunaperekedwa ndi zomwe zalandilidwa, chifukwa kuchuluka kwa uthenga kumatha kupitilira kukula kwa kukumbukira komwe kumaperekedwa kwa skb_page_frag_refill.

    Chiwopsezocho chinakhazikitsidwa mu kernel pa Marichi 7 (zokhazikika mu 5.17, 5.16.15, etc.). Mutha kutsata zofalitsa zosintha pamaphukusi pamagawo awa: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Choyimira chogwira ntchito, chomwe chimalola wogwiritsa ntchito wamba kuti apeze mizu ku Ubuntu Desktop 21.10 pakusintha kosasintha, adayikidwa kale pa GitHub. Akuti ndi zosintha zazing'ono zomwe zimagwiritsidwa ntchito zimagwiranso ntchito pa Fedora ndi Debian. Ndizofunikira kudziwa kuti zomwe adachitazo zidakonzedweratu pampikisano wa pwn2own 2022, koma opanga kernel adazindikira ndikuwongolera cholakwika chomwe chikugwirizana nacho, chifukwa chake adaganiza zowulula zakusatetezekako.

  • Zofooka ziwiri (CVE-2022-1015, CVE-2022-1016) mu netfilter subsystem mu nf_tables module, yomwe imatsimikizira kugwira ntchito kwa ftables paketi fyuluta. Nkhani yoyamba imalola wogwiritsa ntchito wopanda mwayi kuti alembe zomwe zatuluka ku buffer yomwe yaperekedwa pa stack. Kusefukira kumachitika pamene mukukonza mawu a nftables omwe amapangidwa mwanjira inayake ndipo amasinthidwa panthawi ya cheke ya indexes yofotokozedwa ndi wogwiritsa ntchito yemwe ali ndi mwayi wopeza malamulo a nftables.

    Chiwopsezochi chimayamba chifukwa chakuti omangawo amatanthawuza kuti mtengo wa "enum nft_registers reg" unali baiti imodzi, pamene kukhathamiritsa kwina kunayatsidwa, wopanga, malinga ndi C89, atha kugwiritsa ntchito mtengo wa 32-bit. . Chifukwa cha izi, kukula komwe kumagwiritsidwa ntchito poyang'ana ndi kugawa kukumbukira sikukugwirizana ndi kukula kwenikweni kwa deta mu kapangidwe kake, komwe kumapangitsa kuti mchira wa kamangidwe ukhale wokutidwa ndi zolozera pa stack.

    Vuto litha kugwiritsidwa ntchito kuti lipereke kachidindo pamlingo wa kernel, koma kuwukira kopambana kumafuna mwayi wopeza ma nftables, omwe angapezeke mumalo ochezera amtundu wina ndi CLONE_NEWUSER kapena CLONE_NEWNET maufulu (mwachitsanzo, ngati mutha kuyendetsa chidebe chokha). Kusatetezeka kumagwirizananso kwambiri ndi kukhathamiritsa komwe kumagwiritsidwa ntchito ndi wopanga, yemwe, mwachitsanzo, amayatsidwa akamamanga "CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y". Kugwiritsa ntchito pachiwopsezo ndikotheka kuyambira pa Linux kernel 5.12.

    Chiwopsezo chachiwiri mu netfilter chimayamba chifukwa chofikira malo okumbukira omwe adamasulidwa kale (kugwiritsa ntchito-mfulu) mu nft_do_chain handler ndipo kungayambitse kutayikira kwa madera osadziwika a kernel memory, omwe amatha kuwerengedwa kudzera muzosintha ndi mawu a nftables ndikugwiritsidwa ntchito, mwachitsanzo, kudziwa maadiresi olozera panthawi yazachitukuko pazovuta zina. Kugwiritsa ntchito pachiwopsezo ndikotheka kuyambira pa Linux kernel 5.13.

    Zofooka zimayankhidwa mu zigamba zamasiku ano 5.17.1, 5.16.18, 5.15.32, 5.10.109, 5.4.188, 4.19.237, 4.14.274, ndi 4.9.309. Mutha kutsata zofalitsa zosintha pamaphukusi pamagawo awa: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Wofufuza yemwe adazindikira mavutowa adalengeza zakukonzekera zogwirira ntchito pazowopsa zonse ziwiri, zomwe zikuyenera kusindikizidwa m'masiku ochepa, pambuyo poti magawowo atulutsa zosintha pamaphukusi a kernel.

Source: opennet.ru

Kuwonjezera ndemanga