Ubuthathaka (i-CVE-2021-4122) ichongiwe kwiphakheji ye-Crypsetup, esetyenziselwa ukufihla izahlulo zediski kwi-Linux, evumela ukuba uguqulelo lukhubazeke kwizahlulo kwi-LUKS2 (i-Linux Unified Key Setup) ngokuguqula imethadatha. Ukuxhaphaza ubuthathaka, umhlaseli kufuneka abe nokufikelela ngokomzimba kwimidiya efihliweyo, okt. Indlela inengqiqo ikakhulu ekuhlaselweni kwezixhobo zokugcina zangaphandle ezifihliweyo, ezinje ngeFlash drives, apho umhlaseli anokufikelela khona kodwa engayazi igama eliyimfihlo lokuchaza idatha.
Uhlaselo lusebenza kuphela kwifomathi ye-LUKS2 kwaye ihambelana nokuguqulwa kwemethadatha ejongene nokuvula "i-reencryption ye-intanethi" yokwandiswa, evumela, ukuba kuyimfuneko ukutshintsha isitshixo sokufikelela, ukuqalisa inkqubo yokubhalwa kwakhona kwedatha kwi-fly. ngaphandle kokumisa umsebenzi kunye nokwahlulahlula. Ekubeni inkqubo yokuguqulela kunye ne-encryption kunye nesitshixo esitsha ithatha ixesha elininzi, "ukubethelwa kwakhona kwi-intanethi" kwenza kube nokwenzeka ukuba ungaphazamisi umsebenzi kunye nokwahlula kunye nokwenza uguqulelo lwe-encryption ngasemva, ngokuthe ngcembe ukufihla idatha ukusuka kwesinye isitshixo ukuya kwesinye. . Kwakhona kunokwenzeka ukukhetha iqhosha elingenanto ekujoliswe kulo, elikuvumela ukuba uguqule icandelo kwifomu efihliweyo.
Umhlaseli unokwenza utshintsho kwimethadatha ye-LUKS2 efanisa ukuchithwa komsebenzi wokuchithwa kwe-decryption ngenxa yokungaphumeleli kunye nokufezekisa ukuchithwa kwenxalenye yesahlulo emva kokusebenza kunye nokusetyenziswa kwe-drive modified ngumnini. Kule meko, umsebenzisi oqhagamshele idrayivu elungisiweyo kwaye wayivula ngegama eligqithisiweyo elichanekileyo akafumani nasiphi na isilumkiso malunga nenkqubo yokubuyisela kwakhona ukuphazamiseka kokusebenza koguqulelo olufihliweyo kwaye unokufumanisa kuphela malunga nenkqubela phambili yalo msebenzi usebenzisa "luks Dump" umyalelo. Ubungakanani bedatha enokuthi umhlaseli angayiqhawula ixhomekeke kubukhulu bentloko ye-LUKS2, kodwa kwisayizi engagqibekanga (16 MiB) inokugqithisa i-3 GB.
Ingxaki ibangelwa kukuba nangona uguqulelo oluntsonkothileyo lufuna ukubalwa kunye nokuqinisekisa iihashe zezitshixo ezintsha nezindala, ihashi ayidingeki ukuba iqalise ukuguqulelwa kwikhowudi entsha ukuba imeko entsha ithetha ukungabikho kwesitshixo esicacileyo soguqulelo oluntsonkothileyo. Ukongeza, i-metadata ye-LUKS2, echaza i-algorithm ye-encryption, ayikhuselwanga ekuguquleni ukuba iwela ezandleni zomhlaseli. Ukuthintela ubungozi, abaphuhlisi bongeza ukhuseleko olongezelelweyo lwemethadatha kwi-LUKS2, apho i-hash eyongezelelweyo ihlolwe ngoku, ibalwa ngokusekelwe kwizitshixo ezaziwayo kunye nomxholo wemethadatha, okt. umhlaseli akanakuphinda atshintshe ngokufihlakeleyo imetadata ngaphandle kokwazi igama eligqithisiweyo lokuguqulela.
Imeko yohlaselo eqhelekileyo ifuna ukuba umhlaseli akwazi ukufumana izandla zakhe kwi-drive amaxesha amaninzi. Okokuqala, umhlaseli ongayazi i-password yokufikelela yenza utshintsho kwindawo yemetadata, ebangela ukuchithwa kwenxalenye yedatha kwixesha elizayo xa i-drive ivuliwe. I-drive ibuyiselwa kwindawo yayo kwaye umhlaseli ulinda de umsebenzisi adibanise ngokufaka igama eliyimfihlo. Xa isixhobo senziwa sisebenze ngumsebenzisi, inkqubo yangasemva yoguqulelo oluntsonkothileyo iqalwa, ngelo xesha inxalenye yedatha efihliweyo itshintshwa ngedata ekhutshiweyo. Ukuqhubela phambili, ukuba umhlaseli uyakwazi ukufumana izandla zakhe kwisixhobo kwakhona, enye yedatha kwi-drive iya kuba kwifom efihliweyo.
Ingxaki ichongiwe ngumgcini weprojekthi ye-cryptsetup kwaye ilungiswe kwi-cryptsetup 2.4.3 kunye ne-2.3.7 yohlaziyo. Ubume bohlaziyo olwenziwayo ukulungisa ingxaki kunikezelo lunokulandelwa kula maphepha: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch. Ubuthathaka bubonakala kuphela ukususela ekukhutshweni kwe-cryptsetup 2.2.0, eyazisa inkxaso ye-"online reencryption" yokusebenza. Njengomsebenzi wokhuseleko, ukuqaliswa nge "--disable-luks2-reencryption" ukhetho lunokusetyenziswa.
umthombo: opennet.ru