Tsanangudzo yekurwiswa kwezvivakwa zvakashandiswa mukugadzirwa kwePyTorch muchina kudzidza masisitimu zvakaburitswa, izvo zvakaita kuti zvikwanise kuburitsa makiyi ekuwana akakwana kuisa dhata rekupokana mune repository nekuburitswa kweprojekiti paGitHub neAWS, pamwe nekutsiva kodhi. mubazi guru repository uye wedzera backdoor kuburikidza nekutsamira. PyTorch kuburitsa spoofing inogona kushandiswa kurwisa makambani makuru akadai seGoogle, Meta, Boeing uye Lockheed Martin anoshandisa PyTorch mumapurojekiti avo. Sechikamu cheBug Bounty chirongwa, Meta yakabhadhara vaongorori $16250 yeruzivo nezve dambudziko.
Izvo zvakakosha zvekurwiswa kugona kumhanyisa kodhi yako pane inoenderera yekubatanidza maseva ayo anoita kuvakazve uye anomhanyisa mabasa kuyedza shanduko nyowani dzinotumirwa kune repository. Nyaya inobata mapurojekiti anoshandisa ega ekunze "Self-Hosted Runner" vanobata neGitHub Zviito. Kusiyana neyakajairwa GitHub Zviito, Vanozvigashira vanobata havamhanye paGitHub zvivakwa, asi pamaseva avo kana mumashini anochengetedzwa anogadziridzwa.
Kuita mabasa egungano pamasevha ako anobvumidza iwe kuronga kuvhurwa kwekodhi iyo inogona kutarisisa network yemukati yebhizinesi, tsvaga iyo FS yemuno makiyi encryption makiyi uye tokens yekuwana, uye ongorora kusiyanisa kwezvakatipoteredza nemaparamita ekuwana ekunze kuchengetedza kana gore masevhisi. Mukusavapo kwekuzviparadzanisa kwakakodzera kwenzvimbo yegungano, yakawanikwa yakavanzika data inogona kutumirwa kunze kune vanorwisa, semuenzaniso, kuburikidza nekuwana ekunze APIs. Kuti uone kushandiswa kweSelf-Hosted Runner nemapurojekiti, iyo Gato toolkit inogona kushandiswa kuongorora mafaera ekufambisa anowanika pachena uye CI basa rekutanga matanda.
MuPyTorch nemamwe mapurojekiti akawanda anoshandisa Self-Hosted Runner, vanogadzira chete vane shanduko dzakamboongororwa nevezera uye dzakaverengerwa mucodebase yeprojekiti vanotenderwa kuita mabasa ekuvaka. Kuve ne "mubatsiri" mamiriro paunenge uchishandisa zvigadziriso zvechigadziriso mune repository zvinoita kuti zvikwanise kuvhura GitHub Zviito zvibatiso paunenge uchitumira zvikumbiro zvekudhonza uye, nekudaro, ita kodhi yako mune chero GitHub Actions Runner nharaunda yakabatana neiyo repository kana sangano rinotarisira chirongwa.
Icho chinongedzo chechimiro che "mubatsiri" chakazove nyore kunzvenga - zvakakwana kuti utange waendesa shanduko diki uye womirira kuti igamuchirwe muiyo kodhi base, mushure mezvo mugadziri angogashira chimiro chemutori anoshanda, vane zvikumbiro zvekudhonza zvinotenderwa kuyedzwa muCI zvivakwa pasina kupatsanurwa kwechokwadi. Kuti uwane chimiro chemugadziri, kuyedza kwaisanganisira shanduko diki dzekushongedza kugadzirisa typos muzvinyorwa. Kuti uwane mukana kune repository uye chengetedzo yePyTorch inoburitswa, kurwiswa uchiita kodhi mu "Self-Hosted Runner" yakabata chiratidzo cheGitHub chinoshandiswa kuwana repository kubva kumaitiro ekuvaka, pamwe nemakiyi eAWS anoshandiswa kuchengetedza mhedzisiro yekuvaka. .
Iyo nyaya haina kunangana nePyTorch uye inobata mamwe akawanda mapurojekiti makuru anoshandisa zvigadziriso zve "Self-Hosted Runner" muGitHub Zviito. Semuyenzaniso, kuitwa kwekurwiswa kwakafanana kwakataurwa kuisa backdoor mune mamwe mahombe cryptocurrency wallet uye blockchain mapurojekiti ane bhiriyoni-dollar capitalization, kuita shanduko kune kuburitswa kweMicrosoft Deepspeed uye TensorFlow, kukanganisa imwe yeCloudFlare application, uye zvakare kuita. kodhi pakombuta pane network yeMicrosoft. Tsanangudzo yezviitiko izvi haisati yaburitswa. Pasi pezvirongwa zvebug bounty zviripo, vaongorori vakatumira zvinopfuura makumi maviri zvikumbiro zvemibairo inokosha mazana ezviuru zvemadhora.
Source: opennet.ru