I-Netfilter, isistimu engaphansi ye-Linux kernel esetshenziselwa ukuhlunga futhi iguqule amaphakethe enethiwekhi, isengozini (CVE-2022-25636) evumela ukukhishwa kwekhodi ezingeni le-kernel. Kumenyezelwa ukuthi isibonelo sokuxhaphaza sesilungisiwe esivumela umsebenzisi wendawo ukuthi akhuphule amalungelo akhe ku-Ubuntu 21.10 ngomshini wokuvikela we-KASLR ukhutshaziwe. Inkinga ibonakala iqala ku-kernel 5.4. Ukulungiswa kusatholakala njengepheshi (ukukhishwa kwe-kernel yokulungisa akukenziwa). Ungalandela ukushicilelwa kwezibuyekezo zephakheji ekusabalaliseni kulawa makhasi: I-Debian, SUSE, Ubuntu, RHEL, Fedora, Gentoo, Arch Linux.
Ukuba sengozini kubangelwa iphutha ekubaleni usayizi we-flow->rule->action.entries emsebenzini wokulayisha we-nft_fwd_dup_netdev_offload (okuchazwe kufayela net/netfilter/nf_dup_netdev.c), okungaholela ekubeni idatha elawulwa umhlaseli ibe yidatha elawulwa umhlaseli. ebhalwe endaweni yenkumbulo ngale komngcele webhafa eyabiwe. Iphutha livela lapho kulungiswa imithetho ye-"dup" kanye ne-"fwd" kumaketanga lapho kusetshenziswa khona ukusheshisa kwehadiwe ukucutshungulwa kwephakethe (ukulayishwa). Njengoba ukuchichima kwenzeka ngaphambi kokudala umthetho wesihlungi sephakethe kanye nokuhlola ukwesekwa kokukhipha, ubungozi busebenza nakumadivayisi enethiwekhi angasekeli ukusheshiswa kwehadiwe, njengesixhumi esibonakalayo se-loopback.
Kuyaphawulwa ukuthi le nkinga ilula ukuyisebenzisa, njengoba amanani adlulela ngale kwe-buffer angabhala phezu kwesikhombi esakhiweni se-net_device, futhi idatha mayelana nenani elibhalwe ngaphezulu ibuyiselwa esikhaleni somsebenzisi, okukuvumela ukuthi uthole amakheli. enkumbulweni edingekayo ukuze enze ukuhlasela. Ukuxhashazwa kokuba sengozini kudinga ukwakhiwa kwemithetho ethile kuma-nftables, okungenzeka kuphela ngamalungelo e-CAP_NET_ADMIN, angatholwa umsebenzisi ongenamalungelo endaweni ehlukile yamagama yenethiwekhi. Ukuba sengozini kungase futhi kusetshenziselwe ukuhlasela amasistimu okuhlukanisa iziqukathi.
Source: opennet.ru