Kuphawulwe ukuba sengozini ku-Linux kernel ekusetshenzisweni kwesistimu yefayela ye-OverlayFS (CVE-2023-0386), engasetshenziswa ukuthola ukufinyelela kwezimpande kumasistimu anesistimu engaphansi ye-FUSE efakiwe futhi avumele ukukhwezwa kwezingxenye ze-OverlayFS ngabantu abangenalungelo. umsebenzisi (kusukela nge-Linux 5.11 kernel ngokufaka indawo yamagama yomsebenzisi engenalungelo). Inkinga isilungisiwe egatsheni le-6.2 kernel. Ukushicilelwa kwezibuyekezo zephakheji ekusabalaliseni kungalandelelwa emakhasini: Debian, Ubuntu, Gentoo, RHEL, SUSE, Fedora, Arch.
Ukuhlasela kwenziwa ngokukopisha amafayela anamafulegi e-setgid/setuid asuka kungxenye efakwe kumodi ye-nosuid ukuya kungxenye ye-OverlayFS enesendlalelo esihlotshaniswa ne-partition evumela amafayela we-suid ukuthi aqalise. Ukuba sengozini kuyafana nenkinga ye-CVE-2021-3847 ekhonjwe ngo-2021, kodwa ihluka ngezidingo eziphansi zokuxhaphaza - udaba oludala ludinga ukukhohliswa ngama-xattrs, akhawulelwe ekusebenziseni izikhala zamagama zomsebenzisi (indawo yegama lomsebenzisi), futhi udaba olusha lisebenzisa i-bits setgid /setuid ezingaphathwanga ngokuqondile endaweni yegama lomsebenzisi.
I-algorithm yokuhlasela:
- Ngosizo lwe-subsystem ye-FUSE, isistimu yefayela ifakwe, lapho kukhona ifayela elisebenzisekayo eliphethwe ngumsebenzisi wempande elinamafulegi e-setuid / setgid, atholakala kubo bonke abasebenzisi ukuze babhale. Uma ukhweza, i-FUSE isetha imodi ku-"nosuid".
- Susa ukwabelana ngezikhala zamagama zabasebenzisi bese ukhweza amaphuzu (umsebenzisi/ukhweza indawo yamagama).
- I-OverlayFS ifakwe ne-FS eyakhiwe ngaphambilini ku-FUSE njengongqimba olungezansi kanye nongqimba olungaphezulu olusekelwe kuhla lwemibhalo olubhalekayo. Uhlu lwemibhalo lwesendlalelo esiphezulu kufanele lubekwe ohlelweni lwefayela olungasebenzisi ifulegi elithi "nosuid" uma likhweziwe.
- Ngefayela le-suid ekuhlukaniseni kwe-FUSE, insiza yokuthinta ishintsha isikhathi sokushintsha, okuholela ekukopishelweni kwayo kusendlalelo esiphezulu se-OverlayFS.
- Lapho ukopisha, i-kernel ayiwasusi amafulegi e-setgid/setuid, okubangela ukuthi ifayela livele esabelweni esingacutshungulwa yi-setgid/setuid.
- Ukuze uthole amalungelo ezimpande, kwanele ukuqalisa ifayela ngamafulegi e-setgid/setuid asuka kuhla lwemibhalo olunamathiselwe kungqimba olungaphezulu lwe-OverlayFS.
Ukwengeza, singaqaphela ukudalulwa kwabacwaningi abavela ethimbeni le-Google Project Zero kolwazi mayelana nokuba sengozini okuthathu okwalungiswa egatsheni eliyinhloko le-Linux 5.15 kernel, kodwa akuzange kuhanjiswe kumaphakheji e-kernel kusuka ku-RHEL 8.x/9.x kanye I-CentOS Stream 9.
- I-CVE-2023-1252 - Ukufinyelela endaweni yenkumbulo esivele ikhululiwe esakhiweni se-ovl_aio_req ngenkathi kwenziwa imisebenzi eminingana ngesikhathi esisodwa ku-OverlayFS efakwe phezu kwesistimu yefayela ye-Ext4. Ngokunokwenzeka, ukuba sengozini kukuvumela ukuthi ukhulise amalungelo akho ohlelweni.
- I-CVE-2023-0590 - Ibhekisela endaweni yenkumbulo esivele ikhululiwe kumsebenzi we-qdisc_graft(). Ukusebenza kucatshangwa ukuthi kunomkhawulo wokukhipha isisu.
- I-CVE-2023-1249 - Ukufinyelela endaweni yenkumbulo esivele ikhululiwe kukhodi yokufaka ye-coredump ngenxa yokulahleka kwekholi ye-mmap_lock ku-file_files_note. Ukusebenza kucatshangwa ukuthi kunomkhawulo wokukhipha isisu.
Source: opennet.ru