Qualys waxay aqoonsatay nuglaanta saddexaad ee khatarta ah sanadkan (CVE-2022-3328) ee utility snap-confine, kaas oo la socda calanka xididka SUID waxaana loogu yeeraa habka loo yaqaan 'snapd' si loo abuuro jawi la fulin karo oo loogu talagalay codsiyada lagu qaybiyay baakado is-gaar ah. qaabka degdega ah. Nuglaanta waxay u ogolaataa isticmaale maxalli ah oo aan mudnayn inuu gaaro fulinta koodka sida xididka qaabeynta Ubuntu. Arrintu waxay ku go'an tahay snapd 2.57.6 sii deynta. Cusboonaysiinta xirmada ayaa loo siidaayay dhammaan laamaha taageera ee Ubuntu.
Waxa xiisaha lihi leh, u nuglaanshaha su'aasha ayaa la soo bandhigay intii lagu jiray habka hagaajinta dayacanka Feebaraayo ee la midka ah ee xaddidan. Cilmi baadhayaashu waxay awoodeen inay diyaariyaan ka faa'iidaysi shaqo kaas oo siiya marin u helka Ubuntu Server 22.04, kaas oo, marka lagu daro u nuglaanshaha snap-confine, sidoo kale ku lug leh laba nuglaanshaha habka isku-dhafka ah (CVE-2022-41974, CVE-2022-41973) , oo la xidhiidha ka gudubka hubinta maamulka marka gudbinta amarrada mudnaanta leh iyo shaqada aan badbaadada lahayn ee leh xiriiriyeyaasha astaanta ah.
Nuglaanta ku jirta snap-confine waxaa sababa xaalad jinsiyadeed oo ah must_mkdir_and_open_with_perms(), oo lagu daray si looga ilaaliyo beddelka /tmp/snap.$SNAP_NAME hagaha calaamada leh ka dib markaad hubiso mulkiilaha,laakin ka hor inta aanad wicin nidaamka buurta. wac si aad ugu xidho hagayaasha ku xidhidhiyaha si aad u hesho xidhmo ah qaab degdeg ah. Ilaalinta lagu daray waxay ahayd in dib loo magacaabo /tmp/snap.$SNAP_NAME hagaha hagaha kale ee /tmp oo wata magac random haddii uu jiro oo aanu lahayn xidid.
Markaad ka faa'iidaysanayso /tmp/snap.$SNAP_NAME hagaha dib u magacawda, cilmi baadhayaashu waxay ka faa'iidaysteen xaqiiqda ah in snap-confine ay sidoo kale abuurto buugga /tmp/snap.rootfs_XXXXXX ee xididka nuxurka xirmada snap. Qaybta "XXXXXX" ee magaca waxaa si bakhtiyaa nasiib ah u doortay mkdtemp(), laakiin xirmo lagu magacaabo "rootfs_XXXXXX" ayaa lagu ansixin karaa shaqada sc_instance_name_validate (ie. fikradda ayaa ah in $SNAP_NAME loo dejin doono "rootfs_XXXXXX" kadibna dib loo magacaabo hawlgalka waxay keeni doontaa in dib loo qoro /tmp/snap.rootfs_XXXXXX tusaha oo leh xidid snap).
Si loo gaadho isticmaalka isku mar ee /tmp/snap.rootfs_XXXXXX iyo magaca /tmp/snap.$SNAP_NAME, laba xaaladood oo snap-confine ah ayaa la bilaabay. Marka tusaalaha koowaad la abuuro /tmp/snap.rootfs_XXXXXX, habsocodka ayaa xannibi doona oo tusaale labaad wuxuu ku bilaaban doonaa magaca xirmada rootfs_XXXXXX, taasoo keenaysa tusaalaha labaad ee ku meel gaarka ah /tmp/snap.$SNAP_NAME inuu noqdo tusaha xididka /tmp/snap .rootfs_XXXXXX ee hore. Isla markiiba ka dib markii magaca beddelka la dhammeeyey, tusalkii labaad waa burburay, iyo /tmp/snap.rootfs_XXXXXX waxaa lagu beddelay xaalad isirka, sida markii laga faa'iidaysanayay dayacanka Febraayo. Beddelka ka dib, qufulka fulinta ayaa laga saaray tusaalaha koowaad oo weeraryahannadu waxay si buuxda u xakameeyeen tusaha xididka snap.
Talaabadii ugu dambeysay waxay ahayd in la abuuro symlink /tmp/snap.rootfs_XXXXXX/tmp, kaas oo loo adeegsaday shaqada sc_bootstrap_mount_namespace() si ay ugu xidho tusaha dhabta ah ee la qori karo /tmp hage kasta oo ku jira nidaamka faylka, tan iyo markii buurta () wac raac calaamadaha ka hor inta aanad fuulin. Koritaanka noocan oo kale ah waxaa xannibay xannibaadaha AppArmor, laakiin si looga gudbo xannibaadda, ka faa'iidaysiga wuxuu adeegsaday laba dayacan oo caawiye ah oo ku yaal waddooyin badan.
Source: opennet.ru