I-ProHoster > Π‘Π»ΠΎΠ³ > izindaba ze-inthanethi > Ukuba sengozini emitatsheni yolwazi yenethiwekhi yezilimi zeRust and Go ezikuvumela ukuthi udlule ukuqinisekiswa kwekheli le-IP

Ukuba sengozini emitatsheni yolwazi yenethiwekhi yezilimi zeRust and Go ezikuvumela ukuthi udlule ukuqinisekiswa kwekheli le-IP

Ubungozi obuhlobene nokucutshungulwa okungalungile kwamakheli e-IP anamadijithi e-octal emisebenzini yokuhlaziya ikheli kukhonjwe kulabhulali ejwayelekile yezilimi ze-Rust and Go. Ukuba sengozini kwenza kube nokwenzeka ukweqa ukuhlola kwamakheli avumelekile ezinhlelweni zokusebenza, isibonelo, ukuhlela ukufinyelela kumakheli esixhumi esibonakalayo se-loopback (127.xxx) noma ama-subnets e-intranethi lapho kwenziwa ukuhlasela kwe-SSRF (i-Server-side application forgery). Ubungozi buqhubeka nomjikelezo wezinkinga ezikhonjwe ngaphambilini kumalabhulali node-netmask (JavaScript, CVE-2021-28918, CVE-2021-29418), private-ip (JavaScript, CVE-2020-28360), ipaddress (Python, CVE- 2021-29921 ), Idatha::Qinisekisa::IP (Perl, CVE-2021-29662) kanye ne-Net::Netmask (Perl, CVE-2021-29424).

Ngokuvumelana nencazelo, amanani eyunithi yezinhlamvu zamakheli e-IP aqala ngoziro kufanele ahunyushwe njengezinombolo ze-octal, kodwa imitapo yolwazi eminingi ayikunaki lokhu futhi ivele ilahle uziro, iphatha inani njengenombolo yedesimali. Isibonelo, inombolo 0177 ku-octal ilingana no-127 ngedesimali. Umhlaseli angacela insiza ngokucacisa inani elithi "0177.0.0.1", elibhalwe ngedesimali elihambisana nokuthi "127.0.0.1". Uma kusetshenziswa umtapo wolwazi oyinkinga, uhlelo lokusebenza ngeke lubone ukuthi ikheli elithi 0177.0.0.1 liku-subnet 127.0.0.1/8, kodwa empeleni, lapho kuthunyelwa isicelo, lingafinyelela ikheli elithi β€œ0177.0.0.1”, lapho imisebenzi yenethiwekhi izocutshungulwa njenge-127.0.0.1. Ngendlela efanayo, ungakopela isheke lokufinyelela kumakheli e-intranethi ngokucacisa amanani anjengokuthi β€œ012.0.0.1” (okulingana no-β€œ10.0.0.1”).

E-Rust, umtapo wolwazi ojwayelekile othi "std::net" uthintwe inkinga (CVE-2021-29922). Umhlaziyi wekheli le-IP walo mtapo wolwazi ulahle uziro ngaphambi kwamanani asekhelini, kodwa kuphela uma kungashiwo izinombolo ezingaphezu kwezintathu, isibonelo, u-β€œ0177.0.0.1” uzobonwa njengenani elingavumelekile, kanye nomphumela ongalungile. izobuyiselwa ku-010.8.8.8 kanye no-127.0.026.1 . Izinhlelo zokusebenza ezisebenzisa i-std::net::IpAddr lapho kudluliswa amakheli ashiwo umsebenzisi angase abe sengozini yokuhlaselwa yi-SSRF (isicelo somgunyathi esiseceleni kweseva), i-RFI (Ukufakwa Kwefayela Elikude) kanye nokuhlaselwa kwe-LFI (Ukufakwa Kwefayela Lendawo). Ukuba sengozini kulungisiwe egatsheni le-Rust 1.53.0.

Ukuba sengozini emitatsheni yolwazi yenethiwekhi yezilimi zeRust and Go ezikuvumela ukuthi udlule ukuqinisekiswa kwekheli le-IP

Ku-Go, "inetha" lelabhulali evamile liyathinteka (CVE-2021-29923). Umsebenzi owakhelwe ngaphakathi we-net.ParseCIDR weqa oziro abaholayo ngaphambi kwezinombolo ze-octal esikhundleni sokuzicubungula. Isibonelo, umhlaseli angakwazi ukudlulisa inani elingu-00000177.0.0.1, okuthi uma lihlolwe kumsebenzi we-net.ParseCIDR(00000177.0.0.1/24), lizocutshungulwa njengo-177.0.0.1/24, hhayi 127.0.0.1/24. Inkinga iphinde ibonakale ku-platform ye-Kubernetes. Ukuba sengozini kulungisiwe ekukhishweni kwe-Go 1.16.3 naku-beta 1.17.

Ukuba sengozini emitatsheni yolwazi yenethiwekhi yezilimi zeRust and Go ezikuvumela ukuthi udlule ukuqinisekiswa kwekheli le-IP


Source: opennet.ru

Engeza amazwana