Eyona nto iphambili Linux Umngcipheko wesihlanu (1, 2, 3) obalulekileyo kwiiveki ezimbini ezidlulileyo uchongiwe, ovumela umsebenzisi ukuba andise amalungelo akhe kwinkqubo. Kupapashwe iindlela ezimbini ezisebenzayo: i-sshkeysign_pwn ivumela umsebenzisi ongenamalungelo ukuba afunde umxholo wezitshixo ze-SSH zabucala ze-host /etc/ssh/ssh_host_*_key, kwaye i-chage_pwn ivumela umsebenzisi ongenamalungelo ukuba afunde umxholo wefayile ye-/etc/shadow equlethe ii-hashes zephasiwedi zomsebenzisi.
Ubuthathaka babungenzelwanga ukutyhilwa, kodwa umphandi wokhuseleko ukwazile ukuchonga ubuthathaka, ngokusekelwe kwi-kernel patch ecetywayo, evumela ukufundwa kweefayile kufikeleleke kuphela kumsebenzisi oyintloko, njenge-/etc/shadow. Utshintsho lwe-kernel lulungise indlela yokusebenzisa umsebenzi we-get_dumpable() kwi-ptrace xa kumiselwa amanqanaba okufikelela kumsebenzi we-ptrace_may_access().
Ubuthathaka bubangelwa yimeko yobuhlanga evumela ukufikelela okungenamalungelo kwi-descriptor yefayile ye-pidfd emva kokufikelela kwifayile evela kwinkqubo ye-suid root. Phakathi kokuvula ifayile kunye nokuseta kwakhona amalungelo kwiprogram ye-suid (umzekelo, ngomsebenzi we-setreuid), kuvela imeko apho usetyenziso olusebenzisa inkqubo ye-suid root lunokufikelela kwifayile evulwe yinkqubo ye-suid nge-descriptor ye-pidfd, nokuba iimvume zefayile azikuvumeli oko.
Ifestile enokusebenziseka ivela kuba umsebenzi we-"__ptrace_may_access()" uyatsiba ukujonga ukufikelela kwifayile ukuba intsimi ye-task->mm isetelwe kwi-NULL emva kwe-exit_mm() kodwa ngaphambi kokuba i-exit_files() ibizwe. Okwangoku, umnxeba wenkqubo ye-pidfd_getfd uthatha ukuba i-ID yomsebenzisi yenkqubo yokubiza (uid) ifana ne-ID yomsebenzisi egunyazisiweyo ukufikelela kwifayile. Kubalulekile ukuqaphela ukuba le ngxaki yayisonjululwe ngaphambili ngo-2020, kodwa ayikalungiswa.
Kwi-exploit efumana umxholo we-/etc/shadow, uhlaselo luquka ukuqalisa ngokuphindaphindiweyo usetyenziso lwe-/usr/bin/chage nge-fork+execl eneflegi ye-suid root, efunda umxholo we-/etc/shadow. Emva kwee-process forks, umnxeba wenkqubo ye-pidfd_open uyenziwa, kwaye iluphu yeenkcazo ze-pidfd ezikhoyo zenziwa nge-pidfd_getfd system call kunye nokuqinisekiswa kwazo nge-/proc/self/fd. Kwi-sshkeysign_pwn exploit, uhlengahlengiso olufanayo lwenziwa ngenkqubo ye-suid root ssh-keysign.
Lo mba awukanikwa isihlonzi se-CVE, kwaye uhlaziyo lwe-kernel kunye neephakheji azikapapashwa kwiisasazo. Ubuthathaka busasasazwa kwiikernel 7.0.7, 6.18.30, kunye ne-6.12.88, ezikhutshwe kwiiyure ezimbalwa ezidlulileyo. Ngexesha lokubhalwa kwale ngxelo, yipatch kuphela engasetyenziswa. Iindlela ezinokwenzeka zokucombulula iingxaki ziyaxoxwa, ezifana nokuseta i-sysctl kernel.yama.ptrace_scope=3 okanye ukususa iflegi yeengcambu ze-suid kwii-executables kwinkqubo (ubuncinane kwi-ssh-keysign kunye ne-chage utilities ezisetyenziswa kwi-exploits).
Uhlaziyo: Ubuthathaka bunikwe isazisi i-CVE-2026-46333. Uhlaziyo lwe-kernel lwenziwe. Linux 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, kunye no-5.10.256 kunye nokulungiswa kobuthathaka. Imeko yokulungiswa kobuthathaka kwezi zinto zisasazwayo inokuvavanywa kwezi phepha: Debian, Ubuntu, SUSE/openSUSE, RHEL, Gentoo, Arch, Fedora.
umthombo: opennet.ru
