Emitapo yolwazi evamile ye-C i-uClibc ne-uClibc-ng, esetshenziswa kumadivayisi amaningi ashumekiwe naphathekayo, kuphawulwe ubungozi (i-CVE ayabelwe) obuvumela idatha engelona iqiniso ukuthi ifakwe kunqolobane ye-DNS, engasetshenziswa esikhundleni sekheli lasesizindeni se-inthanethi. yesizinda esikunqolobane bese uqondisa kabusha izicelo esizindeni esikuseva yomhlaseli.
Inkinga ithinta ama-firmware e-Linux ahlukahlukene kumarutha, izindawo zokufinyelela, kanye namadivayisi we-inthanethi Yezinto, kanye nokusatshalaliswa kwe-Linux okushumekiwe njenge-OpenWRT kanye ne-Embedded Gentoo. Kuyaphawulwa ukuthi ubungozi buvela kumadivayisi avela kubakhiqizi abaningi (isibonelo, i-uClibc isetshenziswa ku-Linksys, i-Netgear ne-Axis firmware), kodwa njengoba ubungozi buhlala bungalungisiwe ku-uClibc ne-uClibc-ng, ulwazi oluningiliziwe mayelana namadivayisi athile nabakhiqizi imikhiqizo yabo. inkinga ikhona.ayikadalulwa.
Ukuba sengozini kungenxa yokusetshenziswa kwezihlonzi zomsebenzi ezingabikezelwa kukhodi yokuthumela imibuzo ye-DNS. Inombolo kamazisi yesicelo se-DNS ikhethwe ngokumane kukhuphule ikhawunta ngaphandle kokusebenzisa i-randomization eyengeziwe yezinombolo zechweba, okwenze kwaba nokwenzeka ukufaka ubuthi kunqolobane ye-DNS ngokuthumela kusengaphambili amaphakethe e-UDP anezimpendulo eziqanjiwe (impendulo izokwamukelwa uma ifike ngaphambili. impendulo evela kuseva yangempela futhi ihlanganisa ne-ID efanele). Ngokungafani nendlela ye-Kaminsky ehlongozwe ngo-2008, isihlonzi sokwenziwe asidingi ngisho nokuqagelwa, njengoba sibikezelwa ekuqaleni (inani liqale libekwe ku-1, elinyuswa ngesicelo ngasinye, kunokuba likhethwe ngokungahleliwe).
Ukuze kuvikelwe amandla anonya esihlonzi, ukucaciswa kuncoma ngokungeziwe ukuthi kusetshenziselwe ukusatshalaliswa okungahleliwe kwezinombolo zezimbobo zenethiwekhi yomthombo lapho kuthunyelwa khona izicelo ze-DNS, okunxephezela usayizi onganele wesihlonzi. Uma unika amandla i-port randomization ukuze ukhiqize impendulo engelona iqiniso, ngaphezu kokukhetha isihlonzi esingu-16-bit, kufanele futhi ukhethe inombolo yembobo yenethiwekhi. Ku-uClibc ne-uClibc-ng, ukwenza okungahleliwe okunjalo akuzange kunikwe amandla ngokusobala (uma ukubopha kocingo, imbobo ye-UDP yomthombo ongahleliwe ayizange icaciswe) futhi ukusetshenziswa kwayo kuncike kuzilungiselelo zesistimu yokusebenza.
Uma i-pot randomization ikhutshaziwe, ukunquma i-ID yesicelo ekhulisiwe kumakwa njengomsebenzi omncane. Kodwa noma kusetshenziswa i-randomization, umhlaseli udinga kuphela ukuqagela imbobo yenethiwekhi ukusuka kububanzi obungu-32768β60999, lapho angasebenzisa khona ukuthumela okukhulu kanyekanye kwezimpendulo eziqanjiwe ezimbobeni zenethiwekhi ezihlukene.
Inkinga iqinisekisiwe kukho konke ukukhishwa kwamanje kwe-uClibc ne-uClibc-ng, okuhlanganisa nezinguqulo zakamuva ze-uClibc 0.9.33.2 kanye ne-uClibc-ng 1.0.40. NgoSepthemba 2021, ulwazi olumayelana nokuba sengozini luthunyelwe ku-CERT/CC ukuze kulungiselelwe ukulungiswa okuhlanganisiwe. NgoJanuwari 2022, idatha emayelana nenkinga yabelwa abakhiqizi abangaphezu kuka-200 abasebenzisana ne-CERT/CC. NgoMashi, kube nomzamo wokuxhumana ngokuhlukene nomnakekeli wephrojekthi ye-uClibc-ng, kodwa waphendula ngokuthi akakwazanga ukulungisa ubuthakathaka eyedwa futhi wancoma ukuthi adalule obala ulwazi mayelana nenkinga, ngethemba lokuthola usizo ekusunguleni uhlelo. lungisa kusuka emphakathini. Phakathi kwabakhiqizi, i-NETGEAR imemezele ukukhishwa kwesibuyekezo esisusa ubungozi.
Source: opennet.ru