Sun gano lahani a cikin Linux waɗanda za a iya amfani da su ta hanyar Bluetooth

Darkcrizt

4 minti

damuwa

Idan aka yi amfani da su, waɗannan kurakuran na iya ba wa maharan damar samun dama ga bayanai masu mahimmanci ba tare da izini ba ko kuma gabaɗaya haifar da matsala

Kwanan nan ne labari ya bazu cewae an gano lahani guda biyu a cikin kernel na Linux (wanda aka riga aka rubuta a ƙarƙashin CVE-2022-42896), wanda mai yiwuwa za a iya amfani da su don tsara aiwatar da code na nesa a matakin kwaya ta hanyar aika fakitin L2CAP na musamman akan Bluetooth.

An ambata cewa rashin lahani na farko (CVE-2022-42896) yana faruwa lokacin samun damar wurin ƙwaƙwalwar ajiya da aka rigaya (amfani-bayan-free) a cikin aiwatar da l2cap_connect da l2cap_le_connect_req ayyuka.

Rashin nasara leveraged bayan ƙirƙirar tashar via callback kira sabuwar_haɗi, wanda ba ya toshe saitin don shi, amma yana saita mai ƙidayar lokaci (__saitin_chan_timer), bayan ɓata lokaci, kiran aikin l2cap_chan_lokacin da tsaftace tashar ba tare da duba kammala aikin tare da tashar a cikin ayyuka ba l2cap_le_connect*.

Matsakaicin lokacin ƙare shine daƙiƙa 40 kuma an ɗauka cewa yanayin tsere ba zai iya faruwa tare da jinkiri mai yawa ba, amma ya zama cewa saboda wani kwaro a cikin direban SMP, yana yiwuwa a kira mai ƙidayar lokaci kuma a kai ga yanayin tseren.

Matsala a cikin l2cap_le_connect_req na iya haifar da ƙwanƙwasa ƙwaƙwalwar kernel, kuma a cikin l2cap_connect za ku iya sake rubuta abubuwan da ke cikin ƙwaƙwalwar ajiya kuma kunna lambar ku. Bambancin farko na harin ana iya aiwatar da shi ta amfani da Bluetooth LE 4.0 (tun 2009), na biyu ta amfani da Bluetooth BR/EDR 5.2 (tun 2020).

Akwai lahani bayan-saki a cikin ayyukan kwaya na Linux l2cap_connect da l2cap_le_connect_req net/bluetooth/l2cap_core.c wanda zai iya ba da izinin aiwatar da code da zubar da ƙwaƙwalwar kernel (bi da bi) ta hanyar Bluetooth. Mai kai hari mai nisa zai iya aiwatar da lambar da ke zubar da ƙwaƙwalwar kernel akan Bluetooth idan yana kusa da wanda aka azabtar. Muna ba da shawarar sabunta abubuwan da suka gabata https://www.google.com/url https://github.com/torvalds/linux/commit/711f8c3fb3db61897080468586b970c87c61d9e4

Na biyu yanayin rauni wanda aka gano (wanda aka riga aka rubuta a ƙarƙashin CVE-2022-42895) shine lalacewa ta hanyar raguwar ƙwaƙwalwar ajiya a cikin aikin l2cap_parse_conf_req, wanda za'a iya amfani dashi don samun bayanai daga nesa game da masu nuni zuwa tsarin kwaya ta hanyar aika buƙatun daidaitawa na musamman.

Game da wannan raunin an ambaci cewa a cikin aikin l2cap_parse_conf_req, an yi amfani da tsarin l2cap_conf_efs, wanda a baya ba a fara buɗe ƙwaƙwalwar da aka keɓe ba, kuma ta hanyar magudi tare da tutar FLAG_EFS_ENABLE, ya yiwu a cimma hada da tsofaffin bayanai na baturi a cikin kunshin.

Tutar tashar ta FLAG_EFS_ENABLE maimakon m_efs m zuwa yanke shawara idan ya kamata a yi amfani da tsarin l2cap_conf_efs efs ko a'a kuma yana yiwuwa a saita tutar FLAG_EFS_ENABLE ba tare da aika bayanan daidaitawar EFS ba kuma, a wannan yanayin, tsarin l2cap_conf_efs efs wanda ba a fara ba za a mayar da shi zuwa ga abokin ciniki mai nisa, don haka leaking bayanai game da abubuwan da ke cikin ƙwaƙwalwar kwaya, gami da masu nunin kernel.

Matsalar tana faruwa ne kawai akan tsarin da kernel an gina shi tare da zaɓi na CONFIG_BT_HS (an kashe shi ta tsohuwa, amma an kunna shi akan wasu rabawa, kamar Ubuntu). Hari mai nasara kuma yana buƙatar saita ma'aunin HCI_HS_ENABLED ta hanyar haɗin gudanarwa zuwa gaskiya (ba a yi amfani da shi ta tsohuwa).

A kan waɗannan kwari guda biyu da aka gano, an riga an fitar da samfuran amfani da ke gudana akan Ubuntu 22.04 don nuna yuwuwar kai hari daga nesa.

Don kai harin, dole ne maharin ya kasance cikin kewayon Bluetooth; ba a buƙatar haɗawa da farko, amma dole ne Bluetooth ta kasance mai aiki akan kwamfutar. Don harin, ya isa ya san adireshin MAC na na'urar wanda aka azabtar, wanda za'a iya ƙayyade ta hanyar shaka ko, akan wasu na'urori, ƙididdigewa bisa adireshin MAC na Wi-Fi.

A karshe yana da kyau a ambaci hakan an gano wata matsala makamanciyar wannan (CVE-2022-42895) a cikin mai sarrafa L2CAP wanda zai iya zubar da abun ciki na ƙwaƙwalwar kernel a cikin fakitin bayanan sanyi. An bayyana raunin farko tun watan Agusta 2014 (kwayar kwaya 3.16), na biyu kuma tun Oktoba 2011 (kwaya 3.0).

Ga masu sha'awar bin diddigin gyara a cikin rabawa, za su iya yin hakan a shafuka masu zuwa: DebianUbuntuGentooRHELSUSEFedoraArch .


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Alhakin bayanai: AB Internet Networks 2008 SL
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.