Zvipingamupinyi zviviri zvakawanikwa muLinux kernel. Zvipingamupinyi izvi zvakafanana neCopy Fail vulnerability yakaziviswa mazuva akati wandei apfuura, asi zvinokanganisa ma subsystem akasiyana-siyana—xfrm-ESP neRxRPC. Nhevedzano iyi yezvipingamupinyi yakatumidzwa zita rekuti Dirty Frag (inonziwo Copy Fail 2). Zvipingamupinyi izvi zvinobvumira mushandisi asina ropafadzo kuwana root privileges nekubvisa data re process mu page cache. Pane exploit inoshanda pane zvese zviripo Linux distributions. Zvipingamupinyi izvi zvakaziviswa ma patches asati aburitswa, asi pane nzira yekuzvigadzirisa.
Dirty Frag inovhara zvikanganiso zviviri zvakasiyana: chekutanga chiri mu xfrm-ESP module, chinoshandiswa kukurumidzisa mashandiro e IPsec encryption uchishandisa ESP (Encapsulating Security Payload) protocol, uye chechipiri chiri muRxRPC driver, iyo inoshandisa AF_RXRPC socket family uye RPC protocol yezita rimwe chete, ichishanda pamusoro peUDP. Kukuvara kwega kwega, kwakatorwa kwakasiyana, kunobvumira kodzero dzemidzi. Kukuvara kwe xfrm-ESP kwave kuripo muLinux kernel kubva muna Ndira 2017, uye kukuvara kwe RxRPC kwave kuripo kubva muna Chikumi 2023. Matambudziko ese ari maviri anokonzerwa nekuvandudzwa kunobvumira kunyorera zvakananga kupeji cache.
Kuti mushandise mukana we xfrm-ESP, mushandisi anofanira kunge aine mvumo yekugadzira nzvimbo dzemazita, uye kuti ashandise mukana we RxRPC, module ye rxrpc.ko kernel inofanira kuiswa. Semuenzaniso, mu Ubuntu, mitemo yeAppArmor inodzivirira vashandisi vasina ropafadzo kugadzira nzvimbo dzemazita, asi module ye rxrpc.ko inoiswa zviri nyore. Mamwe ma distributions haana module ye rxrpc.ko asi haadzivise kugadzirwa kwenzvimbo dzemazita. Muongorori akawana dambudziko iri akagadzira nzira yekurwisa system kuburikidza nenjodzi dzese mbiri, zvichiita kuti zvikwanisike kushandisa dambudziko iri pa distributions dzese huru. Kushandiswa uku kwakasimbiswa kuti kunoshanda paUbuntu 24.04.4 nekernel 6.17.0-23, RHEL 10.1 nekernel 6.12.0-124.49.1, openSUSE Tumbleweed nekernel 7.0.2-1, CentOS Stream 10 nekernel 6.12.0-224, AlmaLinux 10 nekernel 6.12.0-124.52.3, uye Fedora 44 nekernel 6.19.14-300.
Sezvakaita neCopy Fail vulnerability, matambudziko ari mu xfrm-ESP neRxRPC anokonzerwa nekubvisa data panzvimbo uchishandisa splice() function, iyo inotamisa data pakati pemafaira nemapipes pasina kukopa, nekupa mareferensi kuzvinhu zviri mu page cache. Write offsets yakaverengerwa pasina kuongororwa kwakakodzera kwekushandiswa kwemareferensi zvakananga kuzvinhu zviri mu page cache, zvichibvumira zvikumbiro zvakagadzirwa zvakananga kuti zvinyore mabyte mana pane imwe offset uye kugadzirisa zviri mukati mefaira chero ripi zvaro mu page cache.
Mashandiro ese ekuverenga mafaira anotanga atora zviri mukati kubva mupeji cache. Kana data riri mupeji cache ragadziriswa, mashandiro ekuverenga mafaira achadzosa data rakatsiviwa, kwete ruzivo chairwo rwakachengetwa padhiraivha. Kushandisa hutachiona kunobva pakugadzirisa peji cache yefaira rinoitwa ne suid root flag. Semuenzaniso, kuti uwane kodzero dzemidzi, munhu anogona kuverenga faira rinoitwa /usr/bin/su kuti ariise mupeji cache, uye ozoisa kodhi yake mune zviri mukati mefaira iri rakaiswa mupeji cache. Kuitwa kwe "su" utility kunotevera kuchaita kuti kopi yakagadziriswa kubva mupeji cache ipinde mu memory, kwete faira rekutanga rinoitwa kubva mudhiraivha.
Kuburitswa pachena kwenjodzi uye kuburitswa kwakarongeka kwezvigamba zvakarongwa musi wa12 Chivabvu, asi nekuda kwekubuda kwemvura, ruzivo rwenjodzi rwaifanira kuburitswa zvigamba zvisati zvaburitswa. Mukupera kwaKubvumbi, zvigamba zve rxrpc, ipsec, uye xfrm zvakaiswa kune netdev public mailing list pasina kutaura kuti zvaive zvine chekuita nekukuvadzwa. Musi wa5 Chivabvu, IPsec subsystem maintainer yakabvuma shanduko kune netdev Git repository nechirongwa chekugadzirisa mu xfrm-esp module. Tsananguro yeshanduko yacho yaive yakafanana netsananguro yedambudziko rakakonzera kukuvadzwa kweCopy Fail mu algif_aead module. Muongorori wezvekuchengetedza akafarira kugadzirisa uku, akakwanisa kugadzira kushandiswa kunoshanda, uye akaburitsa, asingazivi kuti kurambidzwa kwakaiswa pakuburitsa ruzivo nezvenyaya iyi kusvika Chivabvu 12.
Zvigadziriso zvine zvigadziriso zveLinux kernel nemapakeji ekernel mukuparadzira hazvisati zvaburitswa, asi mapeti anotarisana nematambudziko aripo—xfrm-esp uye rxrpc. MaCVE identifiers haana kupihwa, izvo zvinoita kuti kutevedza kutsvagurudzwa kwemapakeji mukuparadzira kutsva. Sekugadzirisa, unogona kuvharira kurodha kwema esp4, esp6, uye rxrpc kernel modules: sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
Source: opennet.ru
