Kusagadzikana kwakawanda kwengozi kwakaonekwa muLinux kernel iyo inobvumira mushandisi wepano kuti awedzere maropafadzo avo muhurongwa. Kushanda prototypes ekushandisa zvakagadzirirwa kune ese matambudziko ari kutariswa.
- Kusagadzikana (CVE-2022-0995) mune yewatch_queue chiitiko chekutevera subsystem inobvumira data kunyorwa kune kunze-kwe-mabheti buffer mukernel memory. Kurwiswa kwacho kunogona kuitwa nechero mushandisi asina rusarura uye zvinoita kuti kodhi yavo ishande nekodzero dzekernel. Kusagadzikana kuripo muwachi_queue_set_size () basa uye kunobatanidzwa nekuyedza kujekesa zvese zvinongedzo mune rondedzero, kunyangwe ndangariro isina kupihwa ivo. Dambudziko rinoitika pakuvaka kernel ne "CONFIG_WATCH_QUEUE=y" sarudzo, iyo inoshandiswa mukugovera kweLinux kwakawanda.
Kusagadzikana kwakagadziriswa mune shanduko yekernel yakawedzerwa munaKurume 11. Unogona kutevera zvakaburitswa zvepakeji zvigadziriso mukugovera pamapeji aya: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Iyo exploit prototype yatovepo pachena uye inobvumidza iwe kuti uwane midzi yekuwana paunenge uchimhanya paUbuntu 21.10 ine kernel 5.13.0-37.
- Vulnerability (CVE-2022-27666) mu esp4 uye esp6 kernel modules nekushandiswa kweESP shanduko (Encapsulating Security Payload) yeIPsec, inoshandiswa paunenge uchishandisa IPv4 uye IPv6. Kusagadzikana kunobvumira mushandisi wepanzvimbo neakajairwa ropafadzo kunyora zvinhu mukernel ndangariro uye kuwedzera maropafadzo avo pane system. Dambudziko rinokonzerwa nekushaikwa kwekuyananisa pakati pehukuru hwakagoverwa ndangariro uye iyo data chaiyo yakagamuchirwa, zvichipihwa kuti yakakura meseji saizi inogona kudarika yakanyanya saizi yekurangarira yakagoverwa skb_page_frag_refill chimiro.
Kusagadzikana kwakagadziriswa mukernel munaKurume 7 (yakagadziriswa muna 5.17, 5.16.15, nezvimwewo). Unogona kutevera zvakaburitswa zvepakeji zvigadziriso mukugovera pamapeji aya: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Iyo inoshanda prototype yekushandiswa, iyo inobvumira mushandisi akajairwa kuwana midzi yekuwana Ubuntu Desktop 21.10 mune yakasarudzika kumisikidzwa, yakatotumirwa paGitHub. Zvinonzi neshanduko diki kushandiswa kunoshandawo paFedora neDebian. Zvinokosha kuziva kuti kushandiswa kwacho kwakambogadzirirwa makwikwi epwn2own 2022, asi vanogadzira kernel vakaona uye vakagadzirisa tsikidzi yakabatana nayo, saka zvakazosarudzwa kuburitsa pachena nezvekusagadzikana.
- Kusagadzikana kuviri (CVE-2022-1015, CVE-2022-1016) mune netfilter subsystem mu nf_tables module, iyo inovimbisa kushanda kweiyo nftables packet sefa. Nyaya yekutanga inobvumira mushandisi wepanzvimbo asina rusaruro kuti awane kunze-kwe-mabheji kunyorera kune yakagoverwa buffer pane stack. Kufashukira kunoitika kana kugadzirisa nftables mataurirwo akaumbwa neimwe nzira uye anogadziriswa panguva yecheki chikamu che indexes inotsanangurwa nemushandisi anokwanisa kuwana nftables mitemo.
Kusagadzikana kunokonzerwa nenyaya yekuti vanogadzira vaireva kuti kukosha kwe "enum nft_registers reg" yaive imwechete byte, apo mamwe magadzirirwo akagoneswa, mugadziri, zvinoenderana neC89 yakatarwa, aigona kushandisa 32-bit kukosha kwayo. . Nekuda kwechinhu ichi, saizi inoshandiswa pakutarisa uye kugovera ndangariro haienderane nehukuru chaihwo hweiyo data muchimiro, izvo zvinotungamira kumuswe weiyo chimiro ichiputirwa nemanongedzo pane stack.
Dambudziko rinogona kushandiswa kuita kodhi padanho re kernel, asi kurwiswa kwakabudirira kunoda kuwana nfttables, iyo inogona kuwanikwa mune yakaparadzana network namespace ine CLONE_NEWUSER kana CLONE_NEWNET kodzero (semuenzaniso, kana uchikwanisa kumhanyisa mudziyo wakasarudzika). Kusagadzikana kwacho kunoenderana zvakanyanya neiyo optimizations inoshandiswa nemuumbi, iyo, semuenzaniso, inogoneswa kana uchivaka mu "CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y" modhi. Kushandiswa kwekusagadzikana kunogoneka kutanga neLinux kernel 5.12.
Kusagadzikana kwechipiri mune netfilter kunokonzerwa nekuwana yakatosunungurwa ndangariro nzvimbo (kushandisa-mushure-yemahara) mune nft_do_chain mubato uye inogona kutungamira kune kudonha kwenzvimbo dzisingazivikanwe dzekernel memory, iyo inogona kuverengerwa kuburikidza nekunyengedza nenftables mataurirwo uye kushandiswa, semuenzaniso, kuona kero dzekunongedza panguva yebudiriro yezvimwe zvidziviriro. Kushandiswa kwekusagadzikana kunogoneka kutanga neLinux kernel 5.13.
Kusagadzikana kunogadziriswa mu kernel patches dzanhasi 5.17.1, 5.16.18, 5.15.32, 5.10.109, 5.4.188, 4.19.237, 4.14.274, uye 4.9.309. Unogona kutevera zvakaburitswa zvepakeji zvigadziriso mukugovera pamapeji aya: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Muongorori akaziva matambudziko akazivisa kugadzirira kwekushanda zvibodzwa zveuviri, izvo zvakarongwa kuburitswa mumazuva mashoma, mushure mekugovera kuburitsa zvigadziriso kune kernel mapakeji.
Source: opennet.ru