Ukuba sengozini (CVE-2021-4122) kukhonjwe kuphakheji ye-Crypsetup, esetshenziselwa ukubethela izingxenye zediski ku-Linux, okuvumela ukubethela ukuthi kukhutshazwe kuma-partitions kufomethi ye-LUKS2 (Linux Unified Key Setup) ngokulungisa imethadatha. Ukuze kusetshenziswe ubungozi, umhlaseli kufanele abe nokufinyelela ngokomzimba kumidiya ebethelwe, i.e. Indlela inengqondo ikakhulukazi ekuhlaseleni izisetshenziswa zesitoreji sangaphandle ezibethelwe, njengamadrayivu e-Flash, umhlaseli akwazi ukufinyelela kuwo kodwa engayazi iphasiwedi ukuze asuse ukubethela kwedatha.
Ukuhlasela kusebenza kuphela kufomethi ye-LUKS2 futhi kuhlotshaniswa nokusetshenziswa kwemethadatha okunesibopho sokuvula isandiso "sokubethelwa kabusha kwe-inthanethi", okuvumela, uma kudingekile ukushintsha ukhiye wokufinyelela, ukuqalisa inqubo yokubethelwa kabusha kwedatha endizeni. ngaphandle kokumisa umsebenzi ngokuhlukanisa. Njengoba inqubo yokubhala kabusha nokubethela ngokhiye omusha ithatha isikhathi esiningi, "ukubethela kabusha ku-inthanethi" kwenza kube nokwenzeka ukuthi ungaphazamisi umsebenzi ngokuhlukanisa futhi wenze ukubethela kabusha ngemuva, ukubethela kabusha idatha kancane kancane kusuka kukhiye owodwa kuya komunye. . Kungenzeka futhi ukukhetha ukhiye ongenalutho oqondiwe, okuvumela ukuthi uguqule isigaba sibe yifomu elifihliwe.
Umhlaseli angenza izinguquko kumethadatha ye-LUKS2 elingisa ukuhoxiswa komsebenzi wokukhipha ukubethela njengomphumela wokwehluleka futhi azuze ukuchithwa kwemfihlo kwengxenye yesahlukaniso ngemva kokwenza kusebenze kanye nokusetshenziswa kwedrayivu eguquliwe umnikazi. Kulokhu, umsebenzisi oxhume idrayivu eguquliwe futhi wayivula ngephasiwedi efanele akatholi isexwayiso mayelana nenqubo yokubuyisela ukubethelwa kabusha okuphazamisekile ukusebenza futhi angathola kuphela ngenqubekelaphambili yalo msebenzi esebenzisa i-“luks Dump” umyalo. Inani ledatha umhlaseli angakwazi ukulihlehlisa lincike kusayizi wenhlokweni ye-LUKS2, kodwa ngosayizi ozenzakalelayo (16 MiB) lingadlula u-3 GB.
Inkinga ibangelwa ukuthi nakuba ukubethela kabusha kudinga ukubala nokuqinisekisa ama-hashe okhiye abasha nabandala, i-hashi ayidingeki ukuze kuqaliswe ukubethela uma isimo esisha sisikisela ukungabi khona kokhiye wombhalo ongenalutho wokubethela. Ngaphezu kwalokho, imethadatha ye-LUKS2, ecacisa i-algorithm yokubethela, ayivikelekile ekulungisweni uma iwela ezandleni zomhlaseli. Ukuze uvimbele ukuba sengozini, abathuthukisi bengeze ukuvikeleka okwengeziwe kwemethadatha ku-LUKS2, lapho i-hashi eyengeziwe isihloliwe manje, ibalwa ngokusekelwe kokhiye abaziwayo nokuqukethwe kwemethadatha, i.e. umhlaseli ngeke esakwazi ukushintsha imethadatha ngokuyimfihlo ngaphandle kokwazi iphasiwedi yokubhala.
Isimo sokuhlasela esijwayelekile sidinga ukuthi umhlaseli akwazi ukubeka izandla zakhe kudrayivu izikhathi eziningi. Okokuqala, umhlaseli ongayazi iphasiwedi yokufinyelela wenza izinguquko endaweni yemethadatha, okubangela ukuqanjwa kwengxenye yedatha ngesikhathi esilandelayo lapho idrayivu icushwa. Idrayivu ibe isibuyiselwa endaweni yayo futhi umhlaseli uyalinda kuze kube yilapho umsebenzisi eyixhuma ngokufaka iphasiwedi. Uma idivayisi yenziwe yasebenza umsebenzisi, ingemuva lenqubo yokubethela kabusha iyaqalwa, lapho ingxenye yedatha ebethelwe ithathelwa indawo idatha esusiwe. Ngaphezu kwalokho, uma umhlaseli ekwazi ukufaka izandla zakhe kudivayisi futhi, enye idatha ekudrayivu izoba sesimweni esisuswe ukubethela.
Inkinga ikhonjwe umnakekeli wephrojekthi ye-cryptsetup futhi yalungiswa kuzibuyekezo ze-cryptsetup 2.4.3 kanye no-2.3.7. Isimo sezibuyekezo ezikhiqizwayo ukuze kulungiswe inkinga ekusatshalalisweni singalandelelwa kulawa makhasi: Debian, RHEL, SUSE, Fedora, Ubuntu, Arch. Ubungozi buvela kuphela kusukela ekukhishweni kwe-cryptsetup 2.2.0, eyethula usekelo lomsebenzi "wokubethela kabusha ku-inthanethi". Njengendlela yokuvikela, ukuqalisa ngenketho ethi “--disable-luks2-reencryption” kungasetshenziswa.
Source: opennet.ru