Inkampani yeQualys ezine kwi-OpenBSD, enye ekuvumela ukuba uqhagamshele ukude ngaphandle koqinisekiso kwezinye iinkonzo zenethiwekhi, kwaye ezinye ezintathu zonyusa amalungelo akho kwinkqubo. Ingxelo ye-Qualys yaqaphela impendulo ekhawulezayo yabaphuhlisi be-OpenBSD - zonke iingxaki zazinjalo Π² ΠΈ kwiiyure ezingama-40 emva kwesaziso sabucala.
Ubuthathaka obusebenzisekayo ekude bubangelwa yimpazamo ekufowuneni isiphathi sobuqinisekiso kwithala leencwadi le-libc, elifowuna
inkqubo /usr/libexec/auth/login_style yokudlula iingxoxo kumgca womyalelo. Ukuquka xa ubiza i-login_style usebenzisa ipharamitha ekhethiweyo "-s inkonzo", kunokwenzeka ukudlulisa igama leprotocol. Ukuba usebenzisa "-" uphawu ekuqaleni kwegama lomsebenzisi, eli gama liza kuphathwa njengokhetho xa usebenzisa i-login_style. Ngokufanelekileyo, ukuba ukhankanya "-schallenge" okanye "-schallenge:passwd" njengegama lomsebenzisi ngexesha loqinisekiso, ke login_style iya kusibona isicelo njengesicelo sokusebenzisa umphathi. .
Ingxaki kukuba iS/Isitshixo iprotocol kwilogin_style ixhaswa ngokusesikweni kuphela, kodwa eneneni ayihoywa ngemveliso yophawu loqinisekiso oluyimpumelelo. Ngaloo ndlela, umhlaseli angakwazi, ngokubeka njengomsebenzisi "-umngeni", ukudlula ukuqinisekiswa kwaye afumane ukufikelela ngaphandle kokubonelela ngegama eliyimfihlo okanye izitshixo. Zonke iinkonzo zenethiwekhi ezisebenzisa iifowuni ze-libc eziqhelekileyo zokuqinisekisa zinokuchatshazelwa yingxaki. Umzekelo, ukukwazi ukugqitha ungqinisiso kuxhaswa kwi-smtpd (AUTH PLAIN), ldapd kunye neradiusd.
Ukuba sesichengeni akubonakali kwi-sshd, kuba inokhuseleko olongezelelweyo olujonga ubukho bomsebenzisi kwinkqubo. Nangona kunjalo, i-sshd ingasetyenziselwa ukuvavanya ubuthathaka benkqubo- xa ufikelela kwigama lomsebenzisi "-sresponse:passwd", uxhulumaniso lujinga, kuba i-sshd ilindele i-login_passwd ukubuyisela umngeni iparameters, kwaye login_passwd ilindele iiparameters ezingekhoyo ukuba kuthunyelwa (igama "- impendulo" iphathwa njengokhetho). Umhlaseli wasekhaya unokuzama ukugqitha uqinisekiso kusetyenziso lwe-su, kodwa ukugqithisa igama "-impendulo" kubangela inkqubo ukuba ingqubene ngokubuyisela isalathisi esingenanto xa uphumeza i getpwnam_r("-schallenge", ...) umsebenzi.
Obunye ubuthathaka:
- CVE-2019-19520 Ilungelo lendawo elonyuka ngokukhohlisa usetyenziso lwe-xlock olubonelelwe nge-sgid iflegi itshintsha iqela libe yi-"auth". Kwikhowudi ye-xlock, ukuphinda uchaze iindlela eziya kumathala eencwadi akuvumelekanga kuphela xa isichongi somsebenzisi (setuid) sitshintshiwe, esivumela umhlaseli ukuba atshintshe imeko-bume "LIBGL_DRIVERS_PATH" kwaye aququzelele ukulayishwa kwelayibrari yakhe ekwabelwana ngayo, ikhowudi eya kuphunyezwa ngayo. emva kokunyusa amalungelo kwiqela le "auth".
- I-CVE-2019-19522 - Ivumela umsebenzisi wasekhaya olilungu leqela elithi "auth" ukuba aqhube ikhowudi njengengcambu xa i-S/Key okanye i-YubiKey uqinisekiso luvuliwe kwinkqubo (engasebenzi ngokungagqibekanga). Ukujoyina iqela elithi "auth", elinokufikelelwa ngokuxhaphaza ubuthathaka obukhankanywe ngasentla kwi-xlock, ikuvumela ukuba ubhale iifayile kwi-/etc/skey kunye /var/db/yubikey. Ngokomzekelo, umhlaseli unokongeza ifayile entsha /etc/skey/root ukuvelisa izitshixo zexesha elinye zokuqinisekisa njengomsebenzisi weengcambu nge-S/Key.
- I-CVE-2019-19519 - amathuba okunyusa imida yemithombo ngokusetyenziswa kwe-su utility. Xa u-"-L" ukhankanyiwe, nto leyo ebangela iinzame zokuqinisekisa ukuba ziphinda-phindwa ngebhayisikile ukuba ayiphumelelanga, udidi lomsebenzisi lusetwa kube kanye kuphela kwaye aluphinda lusekwe kwakhona kwiinzame ezilandelayo. Umhlaseli unokusebenzisa "su -l -L" kumzamo wokuqala wokufaka ukungena komnye umntu ngeklasi eyahlukileyo yeakhawunti, kodwa kumzamo wesibini unokuqinisekisa ngempumelelo njengaye. Kule meko, umsebenzisi uya kuba phantsi kwemida esekelwe kwiklasi yomsebenzisi echazwe kumzamo wokuqala (umzekelo, inani eliphezulu leenkqubo okanye ubungakanani bememori kwinkqubo). Indlela isebenza kuphela kwimida yokuboleka kubasebenzisi abangenalungelo, kuba umsebenzisi wengcambu kufuneka abe kwiqela lamavili).
Ukongezelela, kunokuqatshelwa kwi-OpenBSD, indlela entsha yokujonga ukuba semthethweni kweefowuni zesistim, nto leyo eyenza nzima ngakumbi ukusetyenziswa kobuthathaka. Indlela ivumela iifowuni zenkqubo ukuba zenziwe kuphela ukuba zifunyenwe kwiindawo zememori ezibhalisiweyo ngaphambili. Ukumakisha iindawo zememori inkqubo entsha yokufowuna .
umthombo: opennet.ru