Enhliziyweni Linux Ubungozi besihlanu (1, 2, 3) obubucayi emavikini amabili edlule butholakele, okuvumela umsebenzisi ukuthi andise amalungelo akhe ohlelweni. Kushicilelwe izindlela ezimbili ezisebenzayo: i-sshkeysign_pwn ivumela umsebenzisi ongenamalungelo ukuthi afunde okuqukethwe kwezihluthulelo ze-SSH zomsingathi wangasese /etc/ssh/ssh_host_*__key, kanti i-chage_pwn ivumela umsebenzisi ongenamalungelo ukuthi afunde okuqukethwe kwefayela le-/etc/shadow eliqukethe ama-hashes ephasiwedi yomsebenzisi.
Ubungozi babungenzelwanga ukudalulwa, kodwa umcwaningi wezokuphepha ukwazile ukuhlonza ubungozi, ngokusekelwe ku-patch ye-kernel ehlongozwayo, okuvumela ukufundwa kwamafayela kufinyeleleke kumsebenzisi wempande kuphela, njenge-/etc/shadow. Ushintsho lwe-kernel lulungise indlela yokusebenzisa umsebenzi we-get_dumpable() ku-ptrace lapho kunqunywa amazinga okufinyelela kumsebenzi we-ptrace_may_access().
Ubuthakathaka bubangelwa isimo sohlanga esivumela ukufinyelela okungenamalungelo esichazini sefayela le-pidfd ngemuva kokufinyelela ifayela kusuka enkambisweni yempande ye-suid. Phakathi kokuvula ifayela nokusetha kabusha amalungelo ohlelweni lwe-suid (isibonelo, ngomsebenzi we-setreuid), kuvela isimo lapho uhlelo lokusebenza olusebenzisa uhlelo lwempande ye-suid lungafinyelela ifayela elivulwe uhlelo lwe-suid nge-descriptor ye-pidfd, noma ngabe izimvume zefayela azikuvumeli.
Iwindi elisebenzisekayo livela ngoba umsebenzi we-"__ptrace_may_access()" weqa ukuhlola ukufinyelela kwefayela uma inkambu ye-task->mm isethwe ku-NULL ngemuva kwe-exit_mm() kodwa ngaphambi kokuthi i-exit_files() ibizwe. Njengamanje, ucingo lwesistimu ye-pidfd_getfd lucabanga ukuthi i-ID yomsebenzisi yenqubo yokubiza (uid) ifana ne-ID yomsebenzisi egunyaziwe ukufinyelela ifayela. Kubalulekile ukuqaphela ukuthi le nkinga yaxazululwa ngaphambilini ngo-2020, kodwa ayikalungiswa.
Ku-exploit ethola okuqukethwe yi-/etc/shadow, ukuhlasela kuqukethe ukuqalisa ngokuphindaphindiwe uhlelo lokusebenza lwe-/usr/bin/chage nge-fork+execl enefulegi lempande ye-suid, elifunda okuqukethwe yi-/etc/shadow. Ngemva kwama-process forks, ucingo lwesistimu ye-pidfd_open luyasetshenziswa, futhi i-loop yezincazelo ze-pidfd ezitholakalayo yenziwa ngocingo lwesistimu ye-pidfd_getfd kanye nokuqinisekiswa kwazo nge-/proc/self/fd. Ku-sshkeysign_pwn exploit, ukuphathwa okufanayo kwenziwa ngohlelo lwe-suid root ssh-keysign.
Le nkinga ayikanikwa isihlonzi se-CVE, futhi izibuyekezo ze-kernel kanye nephakeji azikashicilelwa ekusakazweni. Ubuthakathaka busalokhu buvuliwe kuma-kernel 7.0.7, 6.18.30, kanye no-6.12.88, akhishwe emahoreni ambalwa edlule. Ngesikhathi sokubhala, i-patch kuphela engasetshenziswa. Kuxoxwa ngezindlela ezingenzeka zokuxazulula izinkinga, njengokusetha i-sysctl kernel.yama.ptrace_scope=3 noma ukususa ifulegi lempande ye-suid kuma-executable ohlelweni (okungenani ku-ssh-keysign kanye ne-chage utilities ezisetshenziswa kuma-exploits).
Isibuyekezo: Ubungozi bunikezwe isihlonzi i-CVE-2026-46333. Izibuyekezo ze-kernel zenziwe. Linux 7.0.8, 6.18.31, 6.12.89, 6.6.139, 6.1.173, 5.15.207, kanye no-5.10.256 ngokulungiswa kobungozi. Isimo sokulungiswa kobungozi salokhu kusatshalaliswa singahlolwa kula makhasi: Debian, Ubuntu, SUSE/openSUSE, RHEL, Gentoo, Arch, Fedora.
Source: opennet.ru
