Ubuthathaka (CVE-2022-42896) ichongiwe kwi-Linux kernel, enokuthi isetyenziswe ukuququzelela ukuphunyezwa kwekhowudi ekude kwinqanaba le-kernel ngokuthumela ipakethe ye-L2CAP eyilwe ngokukodwa ngeBluetooth. Ukongeza, enye into efanayo ichongiwe (i-CVE-2022-42895) kwisiphathi se-L2CAP, esinokukhokelela ekuvuzeni komxholo wememori ye-kernel kwiipakethi ezinolwazi loqwalaselo. Ubuthathaka bokuqala bubonakala ukususela ngo-Agasti 2014 (i-kernel 3.16), kwaye okwesibini ukususela ngo-Oktobha 2011 (i-kernel 3.0). Ubuthathaka buqwalaselwe kukukhutshwa kwe-Linux kernel 6.1.0, 6.0.8, 4.9.333, 4.14.299, 4.19.265, 5.4.224, 5.10.154, kunye ne-5.15.78. Unokulandelela izilungiso kunikezelo kula maphepha alandelayo: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.
Ukubonisa ukuba kunokwenzeka ukwenza uhlaselo olukude, iprototype exploits ishicilelwe esebenza ku-Ubuntu 22.04. Ukwenza uhlaselo, umhlaseli kufuneka abe ngaphakathi koluhlu lweBluetooth-pre-pairing ayifuni, kodwa iBluetooth kufuneka isebenze kwikhompyuter. Ukuhlaselwa, kwanele ukwazi idilesi ye-MAC yesixhobo sexhoba, esinokumiselwa ngokufunxa okanye, kwezinye izixhobo, kubalwe ngokusekelwe kwidilesi ye-MAC ye-Wi-Fi.
Ubuthathaka bokuqala (CVE-2022-42896) kubangelwa ukufikelela kwindawo yememori esele ikhululiwe (ukusetyenziswa-emva kwe-free) ekuphunyezweni kwe-l2cap_connect kunye nemisebenzi ye-l2cap_le_connect_req - emva kokudala itshaneli nge-new_connection callback, isitshixo asizange sibekwe. ngayo, kodwa i-timer yamiselwa (__set_chan_timer), emva kokuphela kwexesha lokuphuma, ukubiza i-l2cap_chan_timeout umsebenzi kunye nokucoca itshaneli ngaphandle kokukhangela ukugqitywa komsebenzi kunye netshaneli kwimisebenzi ye-l2cap_le_connect*.
Ixesha elimiselweyo lokuvala yimizuzwana engama-40 kwaye kwakucingelwa ukuba imeko yogqatso ayinakwenzeka ngokulibaziseka okunjalo, kodwa kwavela ukuba ngenxa yesinye impazamo kwisibambi se-SMP, kwakunokwenzeka ukufezekisa umnxeba ngoko nangoko kwisibali-xesha kwaye kuzuzwe imeko yogqatso. Ingxaki kwi-l2cap_le_connect_req inokukhokelela kwimemori ye-kernel evuzayo, kwaye kwi-l2cap_connect inokukhokelela ekubhaleni ngaphezulu imixholo yememori kunye nokwenza ikhowudi yayo. Uhlobo lokuqala lokuhlaselwa lunokwenziwa kusetyenziswa iBluetooth LE 4.0 (ukususela ngo-2009), okwesibini xa usebenzisa iBluetooth BR/EDR 5.2 (ukususela ngo-2020).
Ubuthathaka besibini (CVE-2022-42895) bubangelwa kukuvuza kwenkumbulo okushiyekileyo kumsebenzi we-l2cap_parse_conf_req, onokusetyenziswa ukufumana ukude ulwazi malunga nezikhombisi kwizakhiwo zekernel ngokuthumela izicelo zoqwalaselo ezenziwe ngokukodwa. Umsebenzi we-l2cap_parse_conf_req usebenzise ulwakhiwo lwe-l2cap_conf_efs, apho inkumbulo eyabelweyo ayizange iqalwe kwangaphambili kwaye ngokwenza i-FLAG_EFS_ENABLE iflegi kwakunokwenzeka ukuquka idatha endala kwi-stack kwipakethi. Ingxaki ibonakala kuphela kwiinkqubo apho ikernel yakhiwe ngokhetho lweCONFIG_BT_HS (ikhubaziwe ngokungagqibekanga, kodwa yenziwe kwezinye izinikezelo, ezinje Ubuntu). Uhlaselo oluyimpumelelo lukwafuna ukuseta iparamitha yeHCI_HS_ENABLED ngojongano lolawulo ukuya kwinyani (engasetyenziswanga ngokungagqibekanga).
umthombo: opennet.ru