Ubuthathaka ichongiwe kwi Linux kernel ekuphunyezweni kwenkqubo yefayile yeOverlayFS (CVE-2023-0386), engasetyenziswa ukufumana ufikelelo lwengcambu kwiindlela ezinenkqubo esezantsi yeFUSE efakiweyo kwaye ivumele ukunyuswa kwezahlulo zeOverlayFS ngabantu abangabodwa. umsebenzisi (ukuqala ngeLinux 5.11 kernel ngokubandakanywa kwesithuba segama lomsebenzisi elingenalungelo). Umba ulungisiwe kwisebe le-kernel ye-6.2. Ukupapashwa kohlaziyo lwephakheji kwizabelo kunokulandelwa kumaphepha: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.
Uhlaselo lwenziwa ngokukopa iifayile nge-setgid/setuid iflegi ukusuka kwisahlulelo esifakwe kwimowudi ye-nosuid ukuya kwiSahlulo se-OverlayFS onomaleko onxulumene nesahlulelo esivumela iifayile ze-suid ukuba ziphunyezwe. Ubuthathaka bufana nomba we-CVE-2021-3847 ochongiweyo ngo-2021, kodwa uyahluka kwiimfuno zokuxhaphazwa ezisezantsi - umba omdala wawufuna ukuphathwa kakubi kwe-xattrs, elinganiselwe ekusebenziseni izithuba zamagama abasebenzisi (indawo yegama lomsebenzisi), kwaye umba omtsha usebenzisa i-bits setgid. /setuid ezingaphathwanga ngokuthe ngqo kwindawo yegama lomsebenzisi.
Ialgorithm yohlaselo:
- Ngoncedo lwesixokelelwano esisezantsi se-FUSE, inkqubo yefayile ixhonyiwe, apho kukho ifayile ephunyezwayo ephethwe ngumsebenzisi oyingcambu ene-setuid / setgid iflegi, ekhoyo kubo bonke abasebenzisi ukuba babhale. Xa unyuswa, iFUSE imisela imo kwi "nosuid".
- Susa ukwabelana ngezithuba zamagama kunye neendawo zokunyuka (umsebenzisi/isithuba samagama).
- I-OverlayFS ixhonywe kunye neFS eyenziwe ngaphambili kwi-FUSE njengomaleko ongezantsi kunye nomaleko ongaphezulu ngokusekelwe kulawulo olubhalweyo. Umaleko ongaphezulu kufuneka ubekwe kwisixokelelwano sefayile engasebenzisi "nosuid" iflegi xa inyusiwe.
- Kwifayile ye-suid kwisahlulelo se-FUSE, i-touch utility itshintsha ixesha lokuguqulwa, elikhokelela ekukopeni kwayo kuluhlu oluphezulu lwe-OverlayFS.
- Xa ukopisha, i-kernel ayizisusi iiflegi ze-setgid/setuid, ezibangela ukuba ifayile ivele kwisahlulelo esinokusetyenzwa nge-setgid/setuid.
- Ukufumana amalungelo engcambu, kwanele ukuqhuba ifayile nge setgid/setuid iflegi ukusuka kulawulo oluncanyathiselwe kumaleko aphezulu we OverlayFS.
Ukongezelela, sinokuqaphela ukubhengezwa ngabaphandi abavela kwiqela leProjekthi ye-Google yeZero yolwazi malunga nobuthathaka obuthathu obulungiswe kwisebe eliphambili le-Linux 5.15 kernel, kodwa ayizange ifakwe kwiiphakheji ze-kernel ukusuka kwi-RHEL 8.x/9.x kwaye I-CentOS Stream 9.
- I-CVE-2023-1252 -Ukufikelela kwindawo yememori esele ikhululiwe kwisakhiwo se-ovl_aio_req ngelixa usenza imisebenzi emininzi ngexesha elinye kwi-OverlayFS ebekwe phezu kwenkqubo yefayile ye-Ext4. Ngokunokwenzeka, ukuba sesichengeni kukuvumela ukuba wongeze amalungelo akho kwinkqubo.
- I-CVE-2023-0590 - Ibhekisa kwindawo yememori esele ikhululwe kwi-qdisc_graft () umsebenzi. Ukusebenza kucingelwa ukuba kukhawulelwe ukuqhomfa.
- I-CVE-2023-1249-Ukufikelela kwindawo yememori esele ikhululwe kwikhowudi yokungena ye-coredump ngenxa yokungabikho kwe-mmap_lock ifowuni kwifayile_files_note. Ukusebenza kucingelwa ukuba kukhawulelwe ukuqhomfa.
umthombo: opennet.ru