Vakaona kusagadzikana muGNU C raibhurari

DarkcriztUpdated on

4 maminitsi

ngozi

Kana dzikashandiswa, zvikanganiso izvi zvinogona kubvumira vanorwisa kuti vawane mukana usina mvumo kune ruzivo rwakadzama kana kuti kazhinji kukonzera matambudziko.

Munguva pfupi yapfuura yakazozivikanwa ruzivo rwekusagadzikana kuri kukanganisa iyo Glibc standard C raibhurari, yakanyorwa pasi pe "CVE-2023-6246" uye zvibodzwa zve8.4 pachiyero cheCVSS, zvakaonekwa nevaongorori veQualys.

Kunetseka CVE-2023-6246 inobvumira kushandiswa kweSUID application yekutanga kuita yakasarudzika kodhi. uye inobva kubhafa kufashukira mu vsyslog_internal () mabasa anoshandiswa pakudaidza syslog () uye vsyslog () mabasa.

Pamusoro peCVE-2023-6246

Dambudziko irie inoitika nekuda kwekukanganisa paunenge uchiedza kugadzira zita rekushandisa iro rakareba kuburikidza neSYSLOG_HEADER macro. Kana uchiedza kuwedzera buffer zvichibva pazita refu, kufashukira kunoitika, zvichikonzera kuti data inyorwe kune yekutanga diki-saizi buffer.

Kusagadzikana kwakaonekwa mune glibc's syslog uye qsort mabasa anosimbisa chinhu chakakosha chekuchengetedzwa kwesoftware: kunyangwe izvo zvakakosha uye zvinovimbwa zvinhu hazvina kudzivirirwa mukukundikana. Izvo zvinokonzeresa zvekusagadzikana uku zvinowedzera kupfuura masisitimu ega ega, zvichikanganisa maapplication mazhinji uye zvingangoita mamirioni evashandisi pasi rese. Chinyorwa ichi chine chinangwa chekujekesa nezve chaiyo hunhu hwekusagadzikana uku, zvazvinokanganisa, uye matanho anotorwa kudzideredza.

Kana uchironga kurwisa kuburikidza neSU utility, Anorwisa anogona kushandura zita rekuita kana application yatanga nekutsiva iyo argv[0] kukosha., iyo inoshandiswa kuwana ruzivo nezvezita rechirongwa kana uchitumira kurejista uye kuwana kutonga pamusoro pekunyora data kunze kweiyo yakapihwa buffer. Kufashukira kunogona kushandiswa kunyora pamusoro nss_module chimiro muraibhurari ye nss kugadzira raibhurari yakagovaniswa uye kuiisa semudzi.

Dambudziko ravepo kubva pakaburitswa glibc 2.37, yakaburitswa muna Nyamavhuvhu 2022, iyo yaisanganisira shanduko yekubata mamiriro ekuyedza kunyora mameseji akakurisa. Iyo gadziriso yakagadziridzwa kuita glibc 2.36 uye mapakeji ekugovera ane mavhezheni ekare eglibc nekuti yakagadzirisa kusagadzikana uku ichigadzirisa kwakasiyana, kushomeka kwekusagadzikana. Zvakazoitika kuti kugadzirisa kusagadzikana kusiri kwengozi kwakakonzera dambudziko rakakura kuti rioneke. Zvinokosha kutaura kuti kusagadzikana kwakafanana kwakashumwa muna 1997 mu vsyslog () basa re libc 5.4.3 raibhurari.

Kuwanikwa kwekusagadzikana mune syslog uye qsort mabasa eGNU C raibhurari inosimudza zvakanyanya kuchengetedzeka. 

Vatsvagiri veQualys vakawana kusazvibata vakaedza akati wandei anozivikanwa Linux-based ekuisa masisitimu uye akasimbisa kuti akati wandei aive panjodzi, kusanganisira Debian 12/13, Ubuntu 23.04 / 23.10, uye Fedora 37-39.

Para kuratidza kusagadzikana, vatsvakurudzi vakagadzira kushandiswa kwekushanda iyo inokutendera kuti uwane kodzero dzemidzi nekushandisa mutsara wemirairo nharo paunenge uchimhanyisa iyo SU utility. Kubata kwacho kwakaratidza kugona kuwana kodzero dzemidzi nemushandisi asina rombo uye akaurayiwa pasi peFedora 38 yakagadziridzwa zvizere nharaunda ine ese ekudzivirira nzira dzakagoneswa mukumisikidza kusarudzika. Kusagadzikana kunongo shandiswa munharaunda, sezvo kuchida kupfuura kupfuura 1024 bytes kuburikidza ne argv[0] parameter kana ident argument kune openlog() basa.

Kune chikamu che gadziriso yekusagadzikana, inotaurwa kuti yaive yatoverengerwa muGlibc codebase uye ichave chikamu cheiyo Glibc 2.39 gadziriso, pamwe nekugadzirisa kune mamwe maviri kusadzikama (CVE-2023-6779, CVE-2023-6780) iyo inokanganisawo __vsyslog_internal() kodhi uye kukonzera buffer kufashukira.

Pamusoro pezvo, Qualys akayambira nezve kuzivikanwa kwekufashukira kwebuffer mukuitwa kweqsort () basa, iro risina kurongerwa nevagadziri veGlibc senjodzi, sezvo kushandiswa kunosanganisira kushandiswa kweatypical kuenzanisa basa senharo nekudaidza qsort. , iyo inodzosa mutsauko weakaenzaniswa paramita.

Chekupedzisira, kana iwe uchida kudzidza zvakawanda nezvazvo, unogona kutarisa mamiriro ekusagadzikana pamapeji anotevera: DebianUbuntususeRHELFedoraArch LinuxGentooSlackware

mabviro: https://blog.qualys.com


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako