Bachonge ukuba semngciphekweni kwi-Shim evumela ukuba i-UEFI iqale ngokukhuselekileyo ukuba igqithe

Umngcipheko

Ukuba zixhatshaziwe, ezi ziphene zinokuvumela abahlaseli ukuba bafumane ukufikelela okungagunyaziswanga kulwazi olubuthathaka okanye ngokubanzi babangele iingxaki.

Kutshanje iindaba ziye zaqhekeka Ukuba semngciphekweni okude kwafunyanwa umaleko Shim, esetyenziswa ngokubanzi kunikezelo lweLinux lwesiqalo esiqinisekisiweyo kwimowudi yokuqalisa ekhuselekileyo ye-UEFI.

Ukuba sesichengeni, esele kufakwe kwikhathalogu phantsi kwe-"CVE-2023-40547" kwaye kuvavanywe ngamanqaku angama-8.3 ​​kwisikali se-CVSS, ibeka imingcipheko ebalulekileyo, kubandakanywa nokwenzeka kokuphunyezwa kwekhowudi ekude kunye nokushiywa kwenkqubo ye-Linux ekhuselekileyo.

Umngcipheko ulele kwisiphene kwikhowudi yokukhuphela iifayile ngaphezulu kweHTTP, ukuvumela iimpendulo ezingachanekanga ezenziwe ngumncedisi weHTTP ofikelelwe nguShim ukuba aqwalaselwe. Le bug ingasetyenziswa ngumhlaseli olawula umncedisi we-HTTP ukubuyisela impendulo eyenziweyo, enokuthi ibangele ukubhalwa okulawulwayo kwi-buffer engaphandle kwemida kunye nokuvumela ukuphunyezwa kwekhowudi ngexesha lokuqala kwenkqubo yokulayisha.

Undoqo wobungozi bukwimowudi yeHTTPBoot eShim evumela ukukhutshelwa kwefayile ngaphezulu kweHTTP, apho ukubuyisela ifayile ngesilayishi ebizwa kwinyathelo elilandelayo lenkqubo yokuqalisa.

Xa ukhuphela iifayile ngaphezulu kweHTTP, uShim wabela isithinteli kwidatha efunyenweyo, ngokusekelwe kubungakanani obuchaziweyo kwi "Ubude-Ubude" besihloko seHTTP. Nangona kunjalo, Ingxaki ivela xa ixabiso elincinane lifunyenwe kwi-header yoBubude boMxholo, nto leyo ekhokelela ekupheleni kwesicelo esibhaliweyo kwinkumbulo ngaphandle komda onikiweyo webuffer, ngaloo ndlela kuvelisa ukuba sesichengeni.

Ukunciphisa ubuthathaka ngaphandle kokubhenela ekurhoxiseni utyikityo lwedijithali, kuyakhankanywa ukuba indlela ye-SBAT ingasetyenziswa, ehambelana ne-GRUB2, i-shim kunye ne-fwupd kwi-Linux esetyenziswa kakhulu.

Iphuhliswe ngentsebenziswano no-Microsoft, i-SBAT ibandakanya ukongeza imetadata eyongezelelweyo kwi-UEFI yeefayili ezisebenzisekayo, ezifana nomvelisi, imveliso, inxalenye, kunye nolwazi loguqulelo. Le metadata ikhankanyiweyo iqinisekiswa ngomsayino wedijithali kwaye inokuqukwa ngokuzimeleyo kuluhlu lwamacandelo avumelekileyo okanye athintelweyo kwi-UEFI Secure Boot.

Kufuneka kukhankanywe ukubaUmngcipheko wawusele ulungisiwe ekukhutshweni kweShim 15.8Nangona kunjalo, ukuqinisekisa ukhuseleko olupheleleyo kuhlaselo ngeShim, Kuyimfuneko ukuba inguqulelo entsha iqinisekiswe nguMicrosoft kwaye iphunyezwe kunikezelo lweLinux.

Nangona ingxaki yeyokuba ngaphandle kokurhoxisa utyikityo loguqulelo lwangaphambili, isisombululo asinangqondo, kuba umhlaseli unokusebenzisa isixhobo sokuqalisa esinoguqulelo olusesichengeni lweShim ukuthomalalisa i-UEFI ekhuselekileyo yokuqalisa. Kodwa ukurhoxisa utyikityo kuyakwenza ukuba kungenzeki ukungqinisisa i-boot yonikezelo oluqhubeka nokusebenzisa uguqulelo lwangaphambili lwe-Shim.

Okokugqibela, kufanelekile ukukhankanya ukuba, ukongeza ekujonganeni nobuthathaka obukhankanywe ngasentla, I-Shim 15.8 nayo isombulula imiba emininzi yokhuseleko abaluleke kakhulu anokusetyenziswa ekuhlaleni. Le miba yokhuseleko ichongiwe ngezi zichongi ze-CVE zilandelayo:

  1. I-CVE-2023-40548: Lo mba ubandakanya ukuphuphuma okupheleleyo kumsebenzi we-verify_sbat_section, onokubangela ukuphuphuma kwebuffer kwiinkqubo ze-32-bit.
  2. I-CVE-2023-40546: Imemori engaphandle kwemida efundiweyo yenzeka xa unika ingxelo yemiyalezo yemposiso ngeLogError () umsebenzi.
  3. I-CVE-2023-40549: Enye inkumbulo engaphandle kwemida efundiweyo yenzeka xa kusetyenzwa ngokukodwa ifayile yePE eyenziweyo kwi verify_buffer_authenticode() umsebenzi.
  4. I-CVE-2023-40550: Ibandakanya inkumbulo efundwe ngaphandle kwesithinteli kwi verify_buffer_sbat () umsebenzi.
  5. I-CVE-2023-40551: Imemori engaphandle kwemida efundiweyo yenzeka xa kusahlulwa iifayile zeMZ.

Obu buthathaka buqaqambisa ukubaluleka kokujongana nobuthathaka ekuphunyezweni kwemigaqo yokhuseleko, ngakumbi kwiinkqubo ezibalulekileyo ezifana nenkqubo ekhuselekileyo yokuqalisa kunikezelo lweLinux.

Okokugqibela kodwa okungakuncinananga, njengoko sihlala sisenza, sicebisa ukuba abasebenzisi basebenzise iipetshi ezifanelekileyo kunye nohlaziyo ukunciphisa imingcipheko eyayanyaniswa nobu sesichengeni kunye nokukhusela iinkqubo zabo kuhlaselo olunokwenzeka.

Ukuba ukhona unomdla wokwazi ngakumbi ngayo, ungajonga iinkcukacha Kule khonkco ilandelayo.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.