Kwiinkqubo ezingaphantsi kwekernel Linux Kuye kwachongwa ukuba ubuthathaka bukhona kwiNetfilter nakwi-io_uring ezivumela umsebenzisi wasekuhlaleni ukuba andise amalungelo akhe kwinkqubo:
- Ukuba sesichengeni (CVE-2023-32233) kwi-Netfilter subsystem ebangelwa kusetyenziso-emva kokungena kwimemori yokufikelela kwimodyuli ye-nf_tables, eqinisekisa ukusebenza kwesihluzo sepakethe ye-nftables. Ukuba sesichengeni kungasetyenziswa ngokuthumela izicelo eziyilwe ngokukodwa ukuhlaziya ubumbeko lwe-nftables. Uhlaselo lufuna ukufikelela kwi-nftables, enokufunyanwa kwindawo yamagama yothungelwano eyahlukileyo (izithuba zegama lomsebenzi womnatha) ukuba unamalungelo CLONE_NEWUSER, CLONE_NEWNS okanye CLONE_NEWNET (umzekelo, ukuba unokusebenzisa isikhongozeli esizimeleyo).
Ukunika abasebenzisi ixesha lokufaka uhlaziyo, umphandi ofumene le ngxaki uthembise ukulibazisa ukupapashwa kolwazi oluneenkcukacha kunye nomzekelo wokusetyenziswa osebenzayo obonelela ngegobolondo yengcambu ngeveki (kude kube yi-15 kaMeyi). Ubuthathaka bulungisiwe kuhlaziyo lwe-6.4-rc1. Ungalandela inkqubela ye-patch kulwabiwo kula maphepha alandelayo: Debian, Ubuntu, Gentoo, RHEL, Fedora, SUSE/openSUSE, Arch.
- Kukho ubuthathaka (i-CVE engekanikwa) ekuphunyezweni kwe-kernel kwe-io_uring asynchronous I/O interface. Linux Ukuqala ngokukhululwa kwe-5.1, ingxaki ibangelwa yimpazamo kumsebenzi we-io_sqe_buffer_register, ovumela ukufikelela kwimemori ebonakalayo ngaphandle kwemida ye-buffer eyabelwe ngokwesimo. Le ngxaki ibonakala kuphela kwisebe le-6.3 kwaye iya kulungiswa kuhlaziyo oluzayo lwe-6.3.2. I-prototype exploit esebenzayo, evumela ukuphunyezwa kwekhowudi ngamalungelo e-kernel, sele ikhona ukuze ivavanywe.
umthombo: opennet.ru
