ProHoster > Blog > litaba tsa inthanete > Tlhahlobo ea ts'ireletso ea sephutheloana sa BusyBox e senola bofokoli bo fokolang ba 14

Tlhahlobo ea ts'ireletso ea sephutheloana sa BusyBox e senola bofokoli bo fokolang ba 14

Bafuputsi ba Claroty le JFrog ba phatlalalitse liphetho tsa tlhahlobo ea ts'ireletso ea sephutheloana sa BusyBox, se sebelisoang haholo lisebelisoa tse kentsoeng le ho fana ka lisebelisoa tse tloaelehileng tsa UNIX tse pakiloeng faeleng e le 'ngoe e ka sebetsoang. Nakong ea scan, ho ile ha fumanoa bofokoli ba 14, bo seng bo ntse bo lokisitsoe tokollong ea Phato ea BusyBox 1.34. Hoo e ka bang mathata ohle ha a na kotsi ebile a belaella ho latela pono ea tšebeliso ea litlhaselo tsa 'nete, kaha a hloka lisebelisoa tse sebetsang ka likhang tse tsoang kantle.

Kotsi e arohaneng ke CVE-2021-42374, e u lumellang ho baka ho haneloa ha ts'ebeletso ha u sebetsana le faele e hatelitsoeng ka mokhoa o ikhethileng ka ts'ebeliso ea unlzma, le molemong oa kopano le likhetho tsa CONFIG_FEATURE_SEAMLESS_LZMA, hape le likarolo tse ling tsa BusyBox, ho kenyeletsoa. tar, unzip, rpm, dpkg, lzma le man .

Bofokoli ba CVE-2021-42373, CVE-2021-42375, CVE-2021-42376 le CVE-2021-42377 li ka baka ho haneloa ha ts'ebeletso, empa li hloka ho tsamaisa monna, molora le lits'ebeletso tsa khutso ka liparamente tse boletsoeng ke mohlaseli. Vulnerabilities CVE-2021-42378 ho CVE-2021-42386 e ama ts'ebeliso ea awk mme e ka lebisa ts'ebetsong ea khoutu, empa bakeng sa sena mohlaseli o hloka ho etsa bonnete ba hore mokhoa o itseng o etsoa ka awk (hoa hlokahala ho tsamaisa awk ka data e amohetsoeng. ho tloha mohlaseli).

Ntle le moo, o ka hlokomela ts'oaetso (CVE-2021-43523) lilaebraring tsa uclibc le uclibc-ng, ka lebaka la hore ha u fihlella mesebetsi gethostbyname(), getaddrininfo(), gethostbyaddr() le getnameinfo(), the domain name ha e hlahlojoe 'me lebitso le hloekisitsoeng le khutlisetsoa ke seva sa DNS. Ka mohlala, ho arabela kopo e itseng ea tharollo, seva sa DNS se laoloang ke mohlaseli se ka khutlisa mabotho a kang " alert(‘xss’) .attacker.com" 'me li tla khutlisetsoa li sa fetohe lenaneong le leng leo, ntle le ho hloekisa, le ka li bonts'ang ho sehokelo sa webo. Bothata bo ile ba lokisoa ha ho lokolloa uclibc-ng 1.0.39 ka ho eketsa khoutu ho hlahloba ho nepahala ha mabitso a marang-rang a khutlisitsoeng, a kenngoeng ts'ebetsong ka mokhoa o ts'oanang le Glibc.

Source: opennet.ru

Eketsa ka tlhaloso