Kutshanje, iindaba ziye zakhutshwa ukuba ubuthathaka obuninzi obuchazwa njengobunobungozi buchongiwe Kwi-linux kernel kwaye ezivumela umsebenzisi wasekhaya ukuba aphakamise amalungelo abo kwinkqubo.
Eyokuqala yobuthathaka kukuba I-CVE-2022-0995 kwaye kunjalo ikhona kwindlela esezantsi yokulandelela umnyhadala "watch_queue" kwaye oku kubangela ukuba idatha ibhalwe kwindawo yememori ye-kernel ngaphandle kwe-buffer eyabelwe. Uhlaselo lunokwenziwa nguye nawuphi na umsebenzisi ngaphandle kwamalungelo kwaye ikhowudi yabo yenziwe ngamalungelo e-kernel.
Ubuthathaka bukhona kwi watch_queue_set_size () umsebenzi kwaye unxulunyaniswa nomzamo wokucima zonke izikhombisi kuluhlu, nokuba azinikwanga nkumbulo. Ingxaki izibonakalisa xa kusakhiwa ikernel ngo "CONFIG_WATCH_QUEUE=y" ukhetho, olusetyenziswa luninzi lwe Linux unikezelo.
Kukhankanyiwe ukuba semngciphekweni yasonjululwa kutshintsho olongeziweyo kernel ngoMatshi 11.
Ubuthathaka besibini obubhengeziweyo bu I-CVE-2022-27666 Yintoni i ikhona kwiimodyuli zekernel esp4 kunye ne-esp6 ephumeza iinguqu ze-Ecapsulating Security Payload (ESP) ze-IPsec esetyenziswa xa kusetyenziswa zombini i-IPv4 kunye ne-IPv6.
Ukuba sesichengeni ivumela umsebenzisi wasekhaya ngamalungelo aqhelekileyo ukuba abhale ngaphezulu izinto kwimemori ye-kernel kwaye aphakamise amalungelo abo. kwinkqubo. Ingxaki ibangelwe kukungahambelani phakathi kobungakanani bememori eyabiweyo kunye nedatha efunyenwe ngokwenene, kuba ubungakanani bobungakanani bomyalezo bunokugqitha kubungakanani bobungakanani benkumbulo eyabiweyo yesakhiwo se skb_page_frag_refill.
Kuyakhankanywa ukuba ukuba sesichengeni kwalungiswa kwi-kernel nge-7 kaMatshi (zilungiswe kwi-5.17, 5.16.15, njl.), kunye iprototype esebenzayo ipapashiwe ukusuka kwi-exploit evumela umsebenzisi oqhelekileyo ukuba afumane ukufikelela kweengcambu kwi-Ubuntu Desktop 21.10 kwimimiselo engagqibekanga. KwiGitHub.
Kuyachazwa ukuba ngotshintsho oluncinci, ukuxhaphaza kuya kusebenza kwakhona kwiFedora kunye neDebian. Kufuneka kuqatshelwe ukuba i-exploit ekuqaleni yayilungiselelwe ukhuphiswano lwe-pwn2own 2022, kodwa i-bug ehambelanayo ichongiwe kwaye yalungiswa ngabaphuhlisi be-kernel, ngoko ke kwagqitywa ukuba kuchazwe iinkcukacha zobuthathaka.
Obunye ubuthathaka obuye babhengezwa ngabo I-CVE-2022-1015 y I-CVE-2022-1016 kwindlela yokucoca umnatha kwimodyuli ye-nf_tables esondla isihluzo sepakethe ye-nftables. Umphandi ochonge le miba ubhengeze ukulungiswa kokusebenza kokusebenza kubo bobabini ubuthathaka, obucetywa ukukhutshwa kwiintsuku ezimbalwa emva kokukhutshwa kohlaziyo lwephakheji yekernel.
Ingxaki yokuqala ivumela umsebenzisi wasekhaya ongenanto ukuba afezekise ngaphandle kwemida ukubhala kwisitaki. Ukuphuphuma kuyenzeka ekuqhutyweni kweentetho ze-nftables ezenziwe kakuhle eziqhutywe ngexesha lesigaba sokuqinisekisa izalathisi ezinikezelwa ngumsebenzisi onokufikelela kwimithetho ye-nftables.
Umngcipheko ubangelwa kwinyani yokuba abaphuhlisi bayayichaza loo nto ixabiso le "enum nft_registers reg" yibhayithi enye, ngelixa xa ulungiselelo oluthile lwenziwe, umqokeleli, ngokweenkcukacha C89, ungasebenzisa ixabiso le-32 bit ngayo. Ngenxa yolu luhlu, ubungakanani obusetyenzisiweyo ukujonga kunye nokwabiwa kwememori abuhambelani nobungakanani bedatha kwisakhiwo, ekhokelela ekusaleni kwesakhiwo kwizikhombisi zestack.
Ingxaki ingasetyenziswa ukwenza ikhowudi kwinqanaba le kernel, kodwa uhlaselo oluyimpumelelo lufuna ukufikelela kwi-nftables.
Zinokufunyanwa kwindawo yamagama yothungelwano eyahlukileyo (izithuba zenethiwekhi zothungelwano) ezinamalungelo CLONE_NEWUSER okanye CLONE_NEWNET (umzekelo, ukuba unokusebenzisa isikhongozeli esisodwa). Ukuba sesichengeni kukwanxulunyaniswa ngokusondeleyo nolungiselelo olusetyenziswa ngumqokeleli, oluthi, ngokomzekelo, luvulwe xa luqulunqa kwimo ye-"CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y". Ukusetyenziswa kobuthathaka kunokwenzeka njengeLinux kernel 5.12.
Ubuthathaka besibini kwisihluzo somnatha senzeka xa ufikelela indawo yenkumbulo esele ikhululiwe (sebenzisa-emva-simahla) kumqhubi we-nft_do_chain kwaye kunokubangela ukuvuza kweendawo zenkumbulo zekernel ezingasetyenziswayo ezinokufundwa ngokukhohlisa ngeentetha ze-nftables kwaye zisetyenziswe, umzekelo, ukumisela iidilesi zesalathisi ngexesha lokuxhaphaza uphuhliso lobunye ubuthathaka. Ukusetyenziswa kobuthathaka kunokwenzeka njengeLinux kernel 5.13.
Ubuthathaka balungiswa kuhlaziyo lweKernel olusanda kukhutshwa.