Kwiilayibrari eziqhelekileyo ze-C uClibc kunye ne-uClibc-ng, ezisetyenziswa kwizixhobo ezininzi ezifakwe kunye neziphathwayo, ubuthathaka buchongiwe (i-CVE ayabiwanga) evumela ukuba idatha yenkohliso ifakwe kwi-cache ye-DNS, engasetyenziselwa ukutshintsha idilesi ye-IP. yesizinda esingenasizathu kwi-cache kwaye uqondise kwakhona izicelo kwi-domain kumncedisi womhlaseli.
Umba uchaphazela ii-firmwares ze-Linux ezahlukeneyo kwii-routers, iindawo zokufikelela, kunye ne-Intanethi yezixhobo ze-Intanethi, kunye nokuhanjiswa kwe-Linux edibeneyo njenge-OpenWRT kunye ne-Embedded Gentoo. Kuqatshelwe ukuba ubuthathaka bubonakala kwizixhobo ezivela kubavelisi abaninzi (umzekelo, iClibc isetyenziswa kwi-Linksys, iNetgear kunye ne-Axis firmware), kodwa ekubeni ubuthathaka buhlala bungalungiswanga kwi-uClibc kunye ne-uClibc-ng, ulwazi oluneenkcukacha malunga nezixhobo ezithile kunye nabavelisi abanemveliso yabo. ingxaki ikhona.ayikachazwa.
Ukuba sesichengeni kungenxa yosetyenziso lwezichongi zentengiselwano ezinokuqikelelwa kwikhowudi yokuthumela imibuzo ye-DNS. Inombolo yokuchonga yesicelo se-DNS ikhethwe ngokunyusa i-counter ngaphandle kokusebenzisa i-randomization eyongezelelweyo yeenombolo ze-port, okwenza kube lula ukutyhefa i-DNS cache ngokuthumela kwangaphambili iipakethi ze-UDP kunye neempendulo ezikhohlisayo (impendulo iya kwamkelwa ukuba ifike ngaphambili. impendulo evela kumncedisi wokwenene kwaye ibandakanya i-ID echanekileyo). Ngokungafaniyo nendlela ye-Kaminsky ecetywayo kwi-2008, isazisi sokuthengiselana akufuneki nokuba siqikelelwe, ekubeni siqikelelwa ekuqaleni (ixabiso libekwe okokuqala kwi-1, elonyuswa ngesicelo ngasinye, kunokuba likhethwe ngokungaqhelekanga).
Ukukhusela ngokuchasene nesixhobo esikhohlakeleyo sokuchonga, inkcazo icebisa ukongezelela ukusebenzisa unikezelo olungakhethiyo lwamanani amazibuko othungelwano lwemvelaphi apho izicelo ze-DNS zithunyelwa khona, nto leyo ebuyekeza ubungakanani obungonelanga besichongi. Xa uvumela izibuko ngokungakhethiyo ukuvelisa impendulo eyinyani, ukongeza ekukhetheni isichongi se-16-bit, kufuneka ukhethe inombolo yezibuko lothungelwano. Kwi-uClibc kunye ne-uClibc-ng, loo randomisation ayenziwanga ngokucacileyo (xa ufowuna ubophelela, i-random source UDP port ayizange ixelwe) kwaye ukusetyenziswa kwayo kuxhomekeke kwizicwangciso zesixokelelwano esisebenzayo.
Xa i-pot randomization ivaliwe, ukugqiba i-ID yesicelo esongeziweyo iphawulwe njengomsebenzi omncinci. Kodwa nokuba i-randomization isetyenzisiwe, umhlaseli ufuna kuphela ukuqikelela i-port yenethiwekhi ukusuka kuluhlu lwe-32768-60999, apho banokusebenzisa ukuthunyelwa okukhulu ngaxeshanye kweempendulo ezingeyonyani kumazibuko ahlukeneyo womnatha.
Ingxaki iqinisekisiwe kulo lonke ukhupho lwangoku lwe-uClibc ne-uClibc-ng, kuquka neenguqulelo zamva nje ze-uClibc 0.9.33.2 kunye ne-uClibc-ng 1.0.40. NgoSeptemba 2021, ulwazi malunga nokuba sesichengeni lwathunyelwa kwi-CERT/CC ukuze lulungelelaniselwe ukulungiswa. NgoJanuwari 2022, idatha kwingxaki yabelwana ngayo nabavelisi abangaphezu kwama-200 abasebenzisana neCERT / CC. Ngo-Matshi, kuye kwakho iinzame zokuqhagamshelana ngokwahlukeneyo nomlondolozi weprojekthi ye-uClibc-ng, kodwa waphendula ngelithi akakwazanga ukulungisa ubuthathaka eyedwa kwaye wacebisa ukuba adize esidlangalaleni ulwazi malunga nale ngxaki, ngethemba lokufumana uncedo ekuphuhliseni ubuthathaka. lungisa kuluntu. Phakathi kwabavelisi, i-NETGEAR ibhengeze ukukhutshwa kohlaziyo olususa ubungozi.
umthombo: opennet.ru