Ku-Netfilter, uhlelo olungaphansi kwe-kernel Linux, esetshenziselwa ukuhlunga nokushintsha amaphakethe enethiwekhi, kutholakale ukuthi inesimo sobuthakathaka (i-CVE ayinikezwanga) esivumela umsebenzisi wendawo ukuthi asebenzise ikhodi ezingeni le-kernel futhi andise amalungelo akhe ohlelweni. Abacwaningi babonise ukuxhashazwa okuvumela umsebenzisi wendawo ukuthi athole amalungelo ezimpande ku Ubuntu Mhla zingama-22.04 kuMbasa nge-kernel 5.15.0-39-generic. Ulwazi mayelana nokuba sengozini ekuqaleni lwaluhlelelwe ukushicilelwa ngomhlaka-15 kuNcwaba, kodwa ngenxa yokukopishwa kwe-imeyili equkethe i-prototype yokuxhashazwa ohlwini lweposi lomphakathi, ukuvinjelwa kokudalulwa kwasuswa.
Inkinga ibilokhu ikhona kusukela i-kernel ikhishwe ngo-5.8 futhi ibangelwa ukuchichima kwebhafa kukhodi yokuphatha yohlu olusethiwe lwemojuli ye-nf_tables, evele ngenxa yokuntuleka kokuhlola okufanele kumsebenzi we-nft_set_elem_init. Isiphazamisi sethulwe ngoshintsho olwandisa indawo yokugcina ingxenye yohlu yaba ngamabhayithi angu-128.
Ukuhlasela kudinga ukufinyelela kuma-nftables, angatholwa endaweni yamagama yenethiwekhi ehlukile CLONE_NEWUSER, CLONE_NEWNS, noma CLONE_NEWNET amalungelo (isibonelo, ngokusebenzisa isiqukathi esingasodwa). Ukulungisa akukatholakali. Ukuze uvimbele ukuxhashazwa kwalokhu kuba sengozini kumasistimu avamile, qinisekisa ukuthi ikhono lokudala izikhala zamagama zabasebenzisi abangenamalungelo likhutshaziwe ("sudo sysctl -w kernel.unprivileged_userns_clone=0").
Source: opennet.ru
