ProHoster > Blog > litaba tsa inthanete > Bofokoli ho Linux le FreeBSD TCP mekotla e lebisang ho haneloeng ha litšebeletso hole

Bofokoli ho Linux le FreeBSD TCP mekotla e lebisang ho haneloeng ha litšebeletso hole

Khamphani ea Netflix senotsoe tse ngata tse mahlonoko bofokodi ho Linux le FreeBSD TCP stacks, e u lumellang ho qala ho senyeha ha kernel u le hole kapa ho baka tšebeliso e feteletseng ea lisebelisoa ha u sebetsana le lipakete tsa TCP tse etselitsoeng ka ho khetheha (pakete ea lefu). Mathata bakoang ke liphoso ho bahlokomeli bakeng sa boholo ba li-block tsa data ka har'a pakete ea TCP (MSS, Maximum segment size) le mochine oa ho amohela li-connections tse khethiloeng (SACK, TCP Selective Acknowledgment).

  • CVE-2019-11477 (SACK Panic) - bothata bo hlahang ho Linux kernels ho qala ho tloha 2.6.29 mme bo u lumella ho baka kernel panic ka ho romela letoto la lipakete tsa SACK ka lebaka la palo e kholo ea ho phalla ho mohlokomeli. Ho hlasela, ho lekane ho beha boleng ba MSS bakeng sa khokahanyo ea TCP ho li-byte tsa 48 (moeli o tlase o beha boholo ba karolo ho li-byte tsa 8) le ho romela tatellano ea lipakete tsa SACK tse hlophisitsoeng ka tsela e itseng.

    Joalo ka ts'ireletso ea ts'ireletso, o ka tima ts'ebetso ea SACK (ngola 0 ho /proc/sys/net/ipv4/tcp_sack) kapa ho thibela likhokahano tse nang le MSS tse tlase (e sebetsa feela ha sysctl net.ipv4.tcp_mtu_probing e setetsoe ho 0 mme e ka senya likhokahano tse ling tse tloaelehileng le MSS e tlase);

  • CVE-2019-11478 (SACK Slowness) - e lebisa tšitiso ea mochine oa SACK (ha o sebelisa Linux kernel e nyenyane ho feta 4.15) kapa tšebeliso e feteletseng ea lisebelisoa. Bothata bo etsahala ha ho sebetsana le lipakete tsa SACK tse entsoeng ka mokhoa o khethehileng, tse ka sebelisoang ho arola mokoloko oa phetisetso (TCP retransmission). Mekhoa ea ts'ireletso ea ts'ireletso e ts'oana le ts'oaetso e fetileng;
  • CVE-2019-5599 (SACK Slowness) - e u lumella ho baka ho arohana ha 'mapa oa lipakete tse rometsoeng ha u sebetsana le tatellano e khethehileng ea SACK ka har'a khokahanyo e le' ngoe ea TCP le ho etsa hore ho be le ts'ebetso ea ho bala lethathamo la lisebelisoa. Bothata bo hlaha ho FreeBSD 12 ka mokhoa oa ho lemoha tahlehelo ea pakete ea RACK. E le mokhoa oa ho sebetsa, o ka tima module ea RACK;
  • CVE-2019-11479 - mohlaseli a ka etsa hore Linux kernel e arole likarabo likarolong tse 'maloa tsa TCP, e' ngoe le e 'ngoe ea tsona e na le li-byte tsa 8 feela tsa data, tse ka lebisang keketseho e kholo ea sephethephethe, ho eketseha ha CPU mojaro le ho koala mocha oa puisano. E khothaletsoa e le mokhoa oa ho sebetsa bakeng sa ts'ireletso. ho thibela likhokahano le MSS e tlase.

    Ho Linux kernel, litaba li ile tsa rarolloa liphatlalatsong tsa 4.4.182, 4.9.182, 4.14.127, 4.19.52, le 5.1.11. Tokiso ea FreeBSD e fumaneha joalo ka patch. Liphatlalatsong, lintlafatso tsa liphutheloana tsa kernel li se li lokollotsoe bakeng sa Debian, RHEL, SUSE/openSUSE. Khalemelo nakong ea ho lokisetsa Botho, Fedora и Arch Linux.

    Source: opennet.ru

    • Eketsa ka tlhaloso