Linux kernel iSCSI kushomeka inobvumira kukwidziridzwa kweropafadzo

Munguva pfupi yapfuura ruzivo rwakakosha nezve kuzivikanwa kwe kusagadzikana (yakanyorwa seCVE-2021-27365) mune iyo iSCSI subsystem kodhi Linux kernel iyo Inobvumidza mushandisi asina mukana weko kumhanyisa kodhi padanho rekernel uye kuwana rombo rakanaka pamutambo.

Dambudziko rinokonzereswa nebug mune mashandiro eiyo libiscsi module iscsi_host_get_param (), yakaunzwa kumashure muna 2006 panguva yekuvandudzwa kweSICSI subsystem. Nekuda kwekushomeka kwakakodzera kwemazizi ekudzora, mamwe eSCSI tambo hunhu, senge zita remubati kana zita rezita, inogona kupfuura iyo PAGE_SIZE (4KB) kukosha.

Iko kunetseka kunogona kushandiswa nekutumira mameseji eNetlink nemushandisi asina rukudzo uyo anoisa iSCSI hunhu kumitengo yakakura kupfuura PAGE_SIZE. Kana uchiverenga hunhu dhata kuburikidza ne sysfs kana seqfs, kodhi inodaidzwa kupfuudza hunhu ku sprintf kuti ivo vateedzerwe mune buffer iri PAGE_SIZE muhukuru.

Iyo yakasarudzika sisitimu iri kubvunzwa ndeye SCSI (Diki Computer Computer Interface) yekufambisa dhata, inova ndiyo chiyero chekuchinjisa dhata rakagadzirwa kubatanidza makomputa kune zvigadzirwa zvemupendero, pakutanga kuburikidza netambo yemuviri, senge madhiraivha akaomarara. SCSI muyero unoremekedzwa wakatanga kuburitswa muna 1986 uye yaive yegoridhe chiyero chekugadziriswa kweseva, uye iSCSI iri SCSI pamusoro peTCP. SCSI ichiri kushandiswa nhasi, kunyanya mune mamwe mamiriro ekuchengetedza, asi izvi zvinova sei nzvimbo yekurwisa pane yakasarudzika Linux system?

Kushandisa kusagadzikana mukugovera zvinoenderana nerutsigiro rwe kernel module autoloading scsi_transport_iscsi paunenge uchiedza kugadzira iyo NETLINK_ISCSI socket.

Mukugovera uko module iyi inotakura otomatiki, kurwisa kwacho kunogona kuitiswa zvisinei nekushandiswa kweSCSI mashandiro. Panguva imwecheteyo, kuti ibudirire kushandiswa kwekushandisa, kunyoreswa kweinenge imwechete iSCSI yekufambisa inodiwa zvakare. Nekudaro, kunyoresa chekufambisa, unogona kushandisa iyo ib_iser kernel module, iyo inotakurwa otomatiki kana mushandisi asina rombo achiedza kugadzira NETLINK_RDMA socket.

Otomatiki kurodha mamodule anodikanwa kuti ushandise kushandisa inotsigira CentOS 8, RHEL 8, uye Fedora nekuisa iyo rdma-core package pane system, kunova kutsamira kwemamwe mapakeji anozivikanwa uye kunoiswa neakasarudzika mukugadziriswa kwenzvimbo dzekushandira, masisitimu eserura neGUI uye kugonesesa kwenzvimbo dzevagari.

Panguva imwecheteyo, rdma-core haina kuiswa kana uchishandisa sevha yekuvaka iyo inoshanda chete mune yekunyaradza modhi uye kana uchiisa yakaderera yekuisa mufananidzo. Semuenzaniso, iyo pasuru inosanganisirwa musimboti Fedora 31 Workstation kugovera, asi haina kuiswa muFedora 31 Server.

Debian uye Ubuntu havanyanyo kubatwa nedambudzikosezvo rdma-core package chete inoremedza kernel module inodiwa pakurwisa kana RDMA Hardware iripo. Nekudaro, iyo server-padivi Ubuntu package inosanganisira iyo yakavhurika-iscsi package, iyo inosanganisira iyo /lib/modules-load.d/open-iscsi.conf faira kuona kuti iSCSI ma module anotakurwa otomatiki pane ese bhuti.

Chinhu chinoshanda chekushandisa chinowanikwa edza pane iyi link iripazasi.

Kushushikana kwakagadziriswa muLinux kernel inogadziridza 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, uye 4.4.260. Kernel package zvinyorwa zviripo paDebian (oldstable), Ubuntu, SUSE / openSUSE, Arch Linux, uye Fedora kugoverwa, nepo RHEL pasina zvigadziriso zvaburitswa parizvino.

Zvakare, mune iSCSI subsystem njodzi mbiri dzisina njodzi dzakagadziriswa izvo zvinogona kutungamira kune kernel dhata leakage: CVE-2021-27363 (yakaburitsa ruzivo nezve iSCSI yekufambisa tsananguro kuburikidza ne sysfs) uye CVE-2021-27364 (kuverenga kubva mudunhu riri kunze kwemiganhu yetabha).

Uku kunetsekana kunogona kushandiswa kutaura pamusoro peneti yekubatanidza socket pamwe neICSI subsystem isina mukana wakakodzera. Semuenzaniso, mushandisi asina rukudzo anogona kubatanidza kune iSCSI uye kutumira raiti yekubuda.

mabviro: https://blog.grimm-co.com


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako