ProHoster > Blog > litaba tsa inthanete > Bofokoli bo ka sebelisoang ho nf_tables, watch_queue le IPsec li khethiloe ho Linux kernel.

Bofokoli bo ka sebelisoang ho nf_tables, watch_queue le IPsec li khethiloe ho Linux kernel.

Ho na le likotsi tse 'maloa tse kotsi ho Linux kernel tse lumellang mosebelisi oa lehae ho eketsa litokelo tsa bona ho sistimi. Ho lokiselitsoe li-prototypes tse sebetsang bakeng sa mathata ohle a ntseng a nahanoa.

  • Ho ba kotsing (CVE-2022-0995) tsamaisong e nyane ea ho latela liketsahalo tsa watch_queue e lumella datha ho ngolloa buffer e kantle ho meeli mohopolong oa kernel. Tlhaselo e ka etsoa ke mosebelisi e mong le e mong ea se nang tokelo mme ea etsa hore khoutu ea bona e sebetse ka litokelo tsa kernel. Kotsi e teng tšebetsong ea watch_queue_set_size() mme e amahanngoa le teko ea ho hlakola lintlha tsohle lethathamong, leha memori e so e abeloe. Bothata bo etsahala ha ho etsoa kernel ka khetho ea "CONFIG_WATCH_QUEUE=y", e sebelisoang ho li-distributions tse ngata tsa Linux.

    Ho ba kotsing ho ile ha rarolloa phetohong ea kernel e ekelitsoeng ka la 11 Hlakubele. U ka latela likhatiso tsa lintlafatso tsa liphutheloana kabong maqepheng ana: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Prototype ea exploit e se e fumaneha phatlalatsa 'me e u lumella ho fumana metso ha u sebetsa ho Ubuntu 21.10 ka kernel 5.13.0-37.

    Bofokoli bo ka sebelisoang ho nf_tables, watch_queue le IPsec li khethiloe ho Linux kernel.

  • Vulnerability (CVE-2022-27666) ho esp4 le esp6 kernel modules ka ts'ebetsong ea liphetoho tsa ESP (Encapsulating Security Payload) bakeng sa IPsec, e sebelisoang ha ho sebelisoa IPv4 le IPv6. Ho ba kotsing ho lumella mosebelisi oa lehae ea nang le litokelo tse tloaelehileng ho ngola lintho tse ka har'a kernel le ho eketsa litokelo tsa bona ho sistimi. Bothata bo bakoa ke khaello ea poelano pakeng tsa boholo ba memori e abetsoeng le data ea sebele e amohetsoeng, kaha boholo ba boholo ba molaetsa bo ka feta boholo ba boholo ba memori bo abetsoeng sebopeho sa skb_page_frag_refill.

    Ho ba kotsing ho ile ha lokisoa kernel ka la 7 Hlakubele (e behiloe ho 5.17, 5.16.15, joalo-joalo). U ka latela likhatiso tsa lintlafatso tsa liphutheloana kabong maqepheng ana: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Setšoantšo se sebetsang sa ts'ebetso, se lumellang mosebelisi ea tloaelehileng ho fumana metso ea ho fihlella Ubuntu Desktop 21.10 ka tlhophiso ea kamehla, e se e kentsoe ho GitHub. Ho boleloa hore ka liphetoho tse nyane ts'ebeliso e tla sebetsa le ho Fedora le Debian. Hoa hlokomeleha hore ts'ebetso ena e ne e lokiselitsoe tlholisano ea pwn2own 2022, empa baetsi ba kernel ba ile ba tseba le ho lokisa phoso e amanang le eona, kahoo ho ile ha etsoa qeto ea ho senola lintlha tsa ho ba kotsing.

  • Mefokolo e 'meli (CVE-2022-1015, CVE-2022-1016) ho netfilter subsystem ka har'a mojule oa nf_tables, e netefatsang ts'ebetso ea filthara ea pakete ea nftables. Tokollo ea pele e lumella mosebelisi oa lehae ea se nang tokelo ho fumana lengolo le tsoang kantle ho meeli ho ngolla buffer e abetsoeng ho stack. Ho phalla ho etsahala ha ho sebetsana le lipolelo tsa nftables tse hlophisitsoeng ka tsela e itseng 'me li sebetsoa nakong ea tlhahlobo ea li-index tse boletsoeng ke mosebedisi ea nang le phihlelo ea melao ea nftables.

    Kotsi e bakoa ke taba ea hore bahlahisi ba fane ka maikutlo a hore boleng ba "enum nft_registers reg" e ne e le "byte" e le 'ngoe, ha lintlafatso tse itseng li nolofalitsoe, moqapi, ho ea ka tlhaloso ea C89, a ka sebelisa boleng ba 32-bit bakeng sa eona. . Ka lebaka la tšobotsi ena, boholo bo sebelisitsoeng ha ho hlahlojoa le ho fana ka mohopolo ha bo tsamaisane le boholo ba 'nete ba data mohahong, e leng se lebisang ho mohatla oa mohaho o kopantsoeng le litsupa holim'a stack.

    Bothata bo ka sebelisoa hampe ho phethahatsa khoutu boemong ba kernel, empa tlhaselo e atlehileng e hloka ho fihlella li-nftables, tse ka fumanoang sebakeng se arohaneng sa marang-rang se nang le litokelo tsa CLONE_NEWUSER kapa CLONE_NEWNET (mohlala, haeba u ka tsamaisa setshelo se ka thōko). Kotsi e boetse e amana haufi-ufi le lintlafatso tse sebelisoang ke mokopanyi, tseo, ka mohlala, li lumelloang ho aha ka mokhoa oa "CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y". Tšebeliso ea ts'oaetso e ka khonahala ho qala ka Linux kernel 5.12.

    Kotsi ea bobeli ho netfilter e bakoa ke ho fihlella sebaka sa memori se seng se lokolotsoe (ts'ebeliso-kamora-mahala) ho nft_do_chain handler mme e ka lebisa ho lutla ha libaka tse sa tsejoeng tsa mohopolo oa kernel, tse ka baloang ka ho qhekella ka mantsoe a nftables le ho sebelisoa, mohlala, ho fumana liaterese tsa li-point nakong ea ts'ebetso ea nts'etsopele bakeng sa bofokoli bo bong. Tšebeliso ea ts'oaetso e ka khonahala ho qala ka Linux kernel 5.13.

    Bofokoli bo rarolloa ho li-kernel patches tsa kajeno 5.17.1, 5.16.18, 5.15.32, 5.10.109, 5.4.188, 4.19.237, 4.14.274, le 4.9.309. U ka latela likhatiso tsa lintlafatso tsa liphutheloana kabong maqepheng ana: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux. Mofuputsi ea khethileng mathata o phatlalalitse tokiso ea ts'ebetso ea ts'ebetso bakeng sa bofokoli ka bobeli, e reretsoeng ho phatlalatsoa ka matsatsi a 'maloa, kamora hore liphallelo li lokolle lintlafatso ho lipakete tsa kernel.

Source: opennet.ru

Eketsa ka tlhaloso