KwiNetfilter, inkqubo engaphantsi kwekernel LinuxIngxaki (CVE-2022-25636) ichongiwe kwisixhobo sokucoca nokuguqula iipakethi zenethiwekhi esivumela ukuphunyezwa kwekhowudi kwinqanaba le-kernel. Kubhengezwe isampuli yokusetyenziswa enokuvumela umsebenzisi wasekuhlaleni ukuba andise amalungelo akhe. Ubuntu 21.10 kunye nendlela yokukhusela ye-KASLR engasebenzi. Le ngxaki ibikho ukususela kwi-kernel 5.4. Ulungiso lufumaneka okwangoku njenge-patch (akukho zikhupho zokugcinwa kwe-kernel ezenziweyo). Ungalandela ukukhutshwa kohlaziyo lwephakheji kulwabiwo kula maphepha alandelayo: Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Ukuba sesichengeni kubangelwa yimpazamo ekubaleni ubungakanani bokuqukuqela->umthetho->intshukumo.uluhlu lwamangeniso kumsebenzi we-nft_fwd_dup_netdev_offload (echazwe kwifayile ye-net/netfilter/nf_dup_netdev.c), enokukhokelela ekubeni idatha elawulwa ngumhlaseli ibe yidatha elawulwa ngumhlaseli. ibhalwe kwi ariya yenkumbulo ngaphaya komda webuffer eyabiweyo. Iphutha livela xa kuqulunqwa imithetho ye-"dup" kunye ne "fwd" kumaketanga apho i-hardware ye-acceleration ye-packet processing (ukulayisha) isetyenziswa. Ekubeni ukuphuphuma kuyenzeka ngaphambi kokudala umgaqo wokucoca ipakethe kunye nokujonga inkxaso yokukhuphela, ubungozi busebenza nakwizixhobo zenethiwekhi ezingaxhasi ukukhawuleziswa kwehardware, njenge-loopback interface.
Kuqatshelwe ukuba ingxaki ilula ukuyisebenzisa, kuba amaxabiso ahamba ngaphaya kwesithinteli angabhala ngaphezulu isalathisi kwisakhiwo se-net_device, kwaye idatha malunga nexabiso elibhalwe ngaphezulu libuyiselwa kwindawo yomsebenzisi, ekuvumela ukuba ufumane iidilesi. kwinkumbulo eyimfuneko ukwenza uhlaselo. Ukuxhaphazwa kobuthathaka kufuna ukudalwa kwemithetho ethile kwi-nftables, enokwenzeka kuphela ngamalungelo e-CAP_NET_ADMIN, anokufunyanwa ngumsebenzisi ongekho mthethweni kwiindawo zamagama zothungelwano olwahlukileyo. Ukuba sesichengeni kusenokusetyenziselwa ukuhlasela iinkqubo zokwahlula izikhongozeli.
umthombo: opennet.ru
