Kana dzikashandiswa, zvikanganiso izvi zvinogona kubvumira vanorwisa kuti vawane mukana usina mvumo kune ruzivo rwakadzama kana kuti kazhinji kukonzera matambudziko.
Mazuva mashoma apfuura nyaya yakabuda kuti Kusagadzikana kuviri kwakaonekwa mukati iyo subsystems ye linux kernel, Netfilter uye io_uring, iyo inobvumira mushandisi wemuno kukwidziridza maropafadzo avo pane system.
Yekutanga ndeye vulnerability. (CVE-2023-32233) iyo yakaonekwa muNetfilter subsystem. uye yakakonzerwa nekushandisa-mushure-yemahara ndangariro kuwana mune nf_tables module, iyo inovimbisa kushanda kweiyo nftables packet filter.
Iyi bug imhaka yekuti netfilter nf_tables inobvumira kuvandudza marongero ayo zve batch zvikumbiro kuti boka pamwechete akawanda basic mashandiro mukutengeserana kweatomu.
Dambudziko yakadhindwa mumhando dzakasiyana dzeLinux kernel, kusanganisira Linux 6.3.1 (yakagadzikana yazvino) uye kusazvibata kunogona kushandiswa nekutumira zvikumbiro zvakagadzirirwa kuvandudza iyo nftables kumisikidza. Zvinonzi kurwiswa kunoda kuwana nftables, iyo inogona kuwanikwa mune yakaparadzana network namespace kana uine CLONE_NEWUSER, CLONE_NEWNS, kana CLONE_NEWNET kodzero (semuenzaniso, kana uchikwanisa kumhanyisa mudziyo uri wega).
Pane iyi bug, muongorori akaona dambudziko akavimbisa kumisikidza kwevhiki kuburitswa kweruzivo rwakadzama uye muenzaniso wekubata kwekushanda kunopa mudzi shell.
Mune imwe mamiriro ezvinhu, chikumbiro chebatch chisina basa chinogona kunge chine oparesheni inodzima zvachose iripo nft isingazivikanwe seti inoteverwa neimwe oparesheni inoedza kuita pane imwechete isingazivikanwe nft set mushure mekunge yadzimwa. Mune mamiriro ari pamusoro apa, muenzaniso wekushanda kwepamusoro kudzima mutemo uripo nft unoshandisa nft isingazivikanwe seti. Uye muenzaniso wekuvhiya kwekupedzisira kuedza kubvisa chinhu kubva kune iyo nft isingazivikanwe array mushure mekunge rondedzero yabviswa neimwe nzira, iyo yekupedzisira oparesheni inogona kutoedza kubvisa zvakajeka iyo nft isingazivikanwe array zvakare.
Sezvambotaurwa pakutanga, izvi zvaive mazuva akati wandei apfuura uye kushandiswa uye ruzivo rwakanga rwaburitswa. Iyo yekushandisa pamwe neruzivo rwayo inogona kuwanikwa pane inotevera link.
Mhosva yechipiri yaonekwa, kwaiva kusagadzikana (CVE-2023-2598) mukati kushandiswa kweiyo asynchronous I/O interface io_uring inosanganisirwa muLinux kernel kubvira vhezheni 5.1.
Dambudziko rinokonzerwa nebug mune io_sqe_buffer_register function, iyo inobvumira kupinda mundangariro yemuviri kunze kwemiganhu ye statically yakagoverwa buffer. Nyaya yacho inongowanikwa mubazi re6.3 chete uye ichagadziriswa mune inotevera 6.3.2 update.
Zvinonzi pfungwa iri kuseri kwechipimo chepakutanga ndechekuti pachinzvimbo chekutsemura mapeji akakura akaiswa muzvinyorwa zvebvec, unogona kuve nekamwe bvec yekupinda yezvikamu zvese zvepeji. Kunyanya, kana mapeji ese ari mubuffer mepu akashandisa yekutanga peji chimiro uye buffer kureba mune imwechete bvec yekupinda pane kumepu yega peji rega rega.
Saka bvec ichawedzera kupfuura peji imwechete iyo inotenderwa kubata. Gare gare, IORING_OP_READ_FIXED neIORING_OP_WRITE_FIXED inotibvumira kuverenga nekunyora kune buffer (kureva, ndangariro inonongedzerwa kwairi nebvec) pakuda. Izvi zvinobvumira kuverenga/kunyora kupinda kundangariro yemuviri kuseri kwepeji chete ratiinaro.
The vulnerability publication inotaura matanho ekutadza kubereka:
1. Gadzira memfd
2. Chikanganiso peji imwe chete mune iyo faira descriptor
3. Shandisa MAP_FIXED kupeta peji rino kakawanda, kunzvimbo dzakatevedzana
4. Nyoresa dunhu rese rawangozadza nepeji iro se
yakagadziriswa bhafa ine IORING_REGISTER_BUFFERS
5. Shandisa IORING_OP_WRITE_FIXED kunyora buffer kune rimwe faira
(OOB verenga) kana IORING_OP_READ_FIXED kuverenga data mubuffer (
OOB nyora).
Pakupedzisira zvakakodzera kutaura izvozvo yatowanikwa basa rekushandisa prototype (CVE-2023-2598) yekuyedza, ichikubvumidza kuti umhanye kodhi ine kernel ropafadzo.
Kunetseka (CVE-2023-32233) Yakagadziriswa mu6.4-rc yekuvandudza uye iwe unogona kutevedzera gadziriso yekusagadzikana mukugovera pamapeji: Debian, Ubuntu, Gentoo, RHEL, Fedora, SUSE/openSUSE y Arch.