ProHoster > Blog > internet nhau > Kusagadzikana muLinux uye FreeBSD TCP masheki anotungamira kune kure kurambwa kwesevhisi

Kusagadzikana muLinux uye FreeBSD TCP masheki anotungamira kune kure kurambwa kwesevhisi

Kambani yeNetflix pachena akawanda anotsoropodza vulnerabilities muLinux uye FreeBSD TCP stacks, izvo zvinokutendera kuti utange kure kure kuparara kwekernel kana kukonzera yakawandisa zviwanikwa kushandiswa paunenge uchigadzira akagadzirwa akagadzirwa TCP mapaketi (packet-ye-rufu). Matambudziko zvinokonzerwa ne zvikanganiso muvabati vehukuru hwe data block saizi muTCP packet (MSS, Maximum segment size) uye nzira yekusarudza kubvuma kwekubatana (SACK, TCP Selective Acknowledgment).

  • CVE-2019-11477 (SACK Panic) - dambudziko rinoonekwa muLinux kernels kutanga kubva ku2.6.29 uye rinokutendera kuti ukonzerese kernel panic nekutumira akatevedzana eSACK mapaketi nekuda kwekuwanda kufashukira mumubati. Kuti urwise, zvakakwana kugadzirisa kukosha kweMSS kwekubatana kweTCP kune 48 bytes (muganho wakaderera unogadzirisa chiyero chechikamu kusvika ku8 bytes) uye kutumira kutevedzana kweSACK packets yakarongedzwa neimwe nzira.

    Sekuchengetedza ma workaround, unogona kudzima SACK kugadzirisa (nyora 0 ku / proc/sys/net/ipv4/tcp_sack) kana kuvhara kubatanidza neMSS yakaderera (inoshanda chete kana sysctl net.ipv4.tcp_mtu_probing yakaiswa ku 0 uye inogona kukanganisa mamwe majoisheni akajairika ane MSS yakaderera);

  • CVE-2019-11478 (SACK Slowness) - inotungamira mukukanganiswa kweSACK michina (kana uchishandisa Linux kernel idiki pane 4.15) kana yakawandisa zviwanikwa kushandiswa. Dambudziko rinoitika kana uchigadzira akagadzirwa akagadzirwa SACK mapaketi, ayo anogona kushandiswa kupatsanura mutsara wekutumira (TCP retransmission). Iwo ekuchengetedza workaround akafanana neaimbova munjodzi;
  • CVE-2019-5599 (SACK Slowness) - inokubvumira kuti ukonzere kupatsanurwa kwemepu yemapakiti akatumirwa paunenge uchigadzira yakakosha SACK kutevedzana mukati meiyo imwe TCP yekubatanidza uye kuita kuti resource-intensive list enumeration operation iitwe. Dambudziko rinoonekwa muFreeBSD 12 ine RACK packet kurasikirwa yekuona michina. Sekushanda, unogona kudzima iyo RACK module;
  • CVE-2019-11479 - munhu anorwisa anogona kuita kuti Linux kernel iparadzanise mhinduro muzvikamu zvinoverengeka zveTCP, imwe neimwe ine 8 bytes chete yedata, izvo zvinogona kutungamira mukuwedzera kukuru kwetraffic, kuwedzera CPU mutoro uye kuvhara kwenzira yekutaurirana. Inokurudzirwa sechishandiso chekudzivirira. kuvhara kubatana neMSS yakaderera.

    MuLinux kernel, nyaya dzakagadziriswa mukuburitswa 4.4.182, 4.9.182, 4.14.127, 4.19.52, uye 5.1.11. Kugadziriswa kweFreeBSD kunowanikwa se chigamba. Mukugovera, zvigadziriso kune kernel mapakeji zvakatoburitswa Debian, RHEL, SUSE/openSUSE. Kururamisa panguva yekugadzirira Ubuntu, Fedora ΠΈ Arch Linux.

    Source: opennet.ru

    • Voeg